Metadata

Prompt

We have found what appears to be a server displaying metadata about a cloud service. Can you find out more information?

Walk-Through

This challenge involves querying the server’s AWS Instance Metadata Service. The instance metadata service is implemented on all AWS EC2 (their virtual machine product offering) instances and is implemented as a basic HTTP server. To access the service and retrieve the metadata, make HTTP requests per the document endpoints listed in the instance metadata service documentation. The full list of endpoints is available via: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html

Intuition for Service Discovery

In order to find out that this is the AWS instance metadata service, you can navigate to the hostname and port number provided using simply your web browser just to see if it is a web server or not and you’ll see that it simply serves the plaintext of:

latest

This indicates to us that this is indeed a HTTP web server of some variety. The text returned from the server may indicate a potential path for you to follow in the URL scheme. So from here, if you append the returned text of latest to the URL and make another request, you’ll get a response with the following list:

dynamic
meta-data
user-data

from here, if you run a Google query for these 3 keywords, you’ll find that some of the top search results refer to the AWS documentation pages for the AWS instance metadata service. You can try to access the meta-data endpoint by appending it once again to your URL, e.g. http://[hostname]:[port]/latest/meta-data and see what other endpoints exist.

Port scanning tools such as nmap are not required for this challenge, you may wish to use it as an initial recon tool, rather than a solution tool. Of note, a service detection scan with nmap may be perceived as a very “noisy” scan by a network defender as nmap generates a lot of requests against the target/network and may throw off alarms on the target network.

🚨
If you are contracted as a network penetration tester by a company, you generally want to operate stealthily and fly under the radar of the network defenders. If you are noticed by the target’s Security Operations Center (SOC) team, you may be blocked by the SOC which would negatively impact your ability to conduct your contracted penetration test.

Retrieving Metadata

To make a request to retrieve the metadata, you can use either your browser as the HTTP client and type the URL into the browser’s address bar or you can use a command line HTTP client such as curl .

The request URL should be structured as http://[hostname]:[port]/latest/meta-data/[endpoint] per the AWS guide on how to retrieve the instance metadata. In this case the hostname and port are provided to you in the challenge and the endpoint would be the “Category” column in the AWS instance metadata documentation page.

This service helps AWS system administrators identify the properties and traits of an AWS EC2 instance, enabling programmatic administration or process automation.

Questions

What availability zone is this instance hosted in?

Access the placement/availability-zone endpoint

What is the security credentials role named?

Access the iam/security-credentials endpoint

What is the instance type being used?

Access the instance-type endpoint

What is the operating system name and version number?

Access the ami-id endpoint first, then from there, look up the ID on Google which should show you that it’s an Ubuntu AMI ID which you can verify on https://cloud-images.ubuntu.com/locator/ec2/

What is the flag?

This is the most challenging question as it will require you to scan and enumerate all the possible endpoints until you find something that shows a flag. As you scan through all the endpoints, you may reach the network/interfaces/macs endpoint which will print out the MAC address of the network interface on the machine. From there, continue to access the endpoint using network/interfaces/macs/[mac address] and enumerate all the possible additional endpoints from there until you reach network/interfaces/macs/[mac address]/vpc-ipv4-cidr-blocks which is hosting a hidden flag.

©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.