SSRF (Server Side Request Forgery) vulnerability became the go-to attack for cloud native environments. Here in this scenario, we will see how we can exploit an application vulnerability like SSRF to gain access to cloud instance metadata as well as internal services metadata information.
- To get started with the scenario, navigate to http://127.0.0.1:1232
Based on the description, we know that this application possibly vulnerable to the SSRF vulnerability. Let's go ahead and access the default instance metadata service using
169.254.169.254. Identify which cloud provider you are running this service, then use specific headers, and queries.
- Let's also run and see what all ports running with in the same pod/container. The endpoint is
- Now we can see that there is an internal-only exposed service with-in the cluster called
- After enumerating through the entire key values, finally identified the flag at
- Then decoding the base64 returns the flag as
echo -n "azhzLWdvYXQtY2E5MGVmODVkYjdhNWFlZjAxOThkMDJmYjBkZjljYWI=" | base64 -d