Prompt
We have found what appears to be a server displaying metadata about a cloud service. Can you find out more information?
Walk-Through
This challenge involves querying the server’s AWS Instance Metadata Service. The instance metadata service is implemented on all AWS EC2 (their virtual machine product offering) instances and is implemented as a basic HTTP server. To access the service and retrieve the metadata, make HTTP requests per the document endpoints listed in the instance metadata service documentation. The full list of endpoints is available via: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
Port scanning tools such as nmap are not required for this challenge. You may wish to use it as an initial recon tool, rather than a solution tool. A service detection scan with nmap may be perceived as a “noisy” scan by a network defender. This is because nmap generates a lot of requests against the target/network and may initiate alarms on the target network.
How to Identify this is a AWS Instance Metadata Service
In order to find out that this is the AWS instance metadata service, start by navigating to the hostname and port number provided for this challenge by placing it in your web browser.
The text returned from the server may indicate a potential path for you to follow in the URL scheme. Append the returned text of latest to the URL and make another request.
After conducting a search query, browse through some of the AWS instance metadata service documentation, particularly:
There you will find information on how to access the instance metadata:
Try to access the endpoint by appending meta-data to your URL, e.g. http://[hostname]:[port]/latest/meta-data and see what other endpoints exist.
Guide
To make a request to retrieve the metadata, you can use either your browser as the HTTP client and type the URL into the browser’s address bar (as you have been doing before this point) or you can use a command line HTTP client such as curl .
The request URL should be structured as http://[hostname]:[port]/latest/meta-data/[endpoint]. In this case the hostname and port are provided to you in the challenge and the endpoint would be the “Category” column in the AWS instance metadata documentation page.
This service helps AWS system administrators identify the properties and traits of an AWS EC2 instance, enabling programmatic administration or process automation.
Useful resources for this challenge:
- Access instance metadata for an EC2 instance: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
- What is an Amazon EC2? : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
Questions
1. What availability zone is this instance hosted in?
Access the placement/availability-zone endpoint
2. What is the security credentials role named?
Access the iam/security-credentials endpoint
3. What is the instance type being used?
Access the instance-type endpoint
4. What is the operating system name and version number?
Access the ami-id endpoint first, then from there, look up the ID on Google which should show you that it’s an Ubuntu AMI ID which you can verify on https://cloud-images.ubuntu.com/locator/ec2/
5. What is the flag?
This is the most challenging question as it will require you to scan and enumerate all the possible endpoints until you find something that shows a flag. As you scan through all the endpoints, you may reach the network/interfaces/macs endpoint which will print out the MAC address of the network interface on the machine. From there, continue to access the endpoint using network/interfaces/macs/[mac address] and enumerate all the possible additional endpoints from there until you reach network/interfaces/macs/[mac address]/vpc-ipv4-cidr-blocks which is hosting a hidden flag.
©️ 2026 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.