Getting the hints
To get the hints we need to talk to Noxious O. D’or who asks to do the IMDS Exploration terminal, let do it!
The following is the result of all the commands we are asked to launch!
Once do we get his nice screen and some hints!
According to the hints we got from Noxious O. D’or, it will be about performing an SSRF combined with IMDS queries to get the secret token.
High level site check up
Let’s start by having a high level check up of the hiring website.
Nothing exceptionally interesting in this page. let’s click on Apply Now.
Things seem to be more interesting here. Let’s fill everything and check what will happen.
Well nothing special, except the image in the middle that cannot be displayed. When inspecting this image element, I found that it is named with the name we put in the form (sunhak in this case), which is nice to keep in mind.
Getting more in depth
I started by testing for XSS/SQLIi but didn’t found anything. I also played a bit with the file input but nothing. I then went back to the hint and understood that the input I need to focus on is the URL. So I put as an URL a server that I’m managing to see if it is directly requested or if I need to make more crafting in order to make it requested. The result was that it is directly requested when the form is submitted! which is great.
So we now know that we can put the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/%5Brole_name%5D, we have seen when doing the hint terminal, in order o get the secret access key.
Now, The only missing part is how to retrieve the result. I spent some time to understand that I need to check that image which is not displayed, I did it, and realized that it is not and image, but a text file as you can see in the following screenshot.
When I check the content, I found out that it contains the result of requesting the input URL. So what we need to do now is to get the role_name by requesting http://169.254.169.254/latest/meta-data and then getting the secret access key by requesting http://169.254.169.254/latest/meta-data/iam/security-credentials/%5Brole_name%5D
Getting the role name
We submit this form and download the image. Then we check its content
As you can see the role name is jf-deply-role!
Getting the secret access key
So our final URL is http://169.254.169.254/latest/meta-data/iam/security-credentials/jf-deply-role! We submit a new form with this URL, download the image and check it’s content:
The answer is CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX!