11.2 Lab: Exploiting XXE to perform SSRF attacks | 2023
The lab server is running a (simulated) EC2 metadata endpoint at the default URL, http://169.254.169.254/. To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint | Karthikeyan Nagaraj
Description
This lab has a “Check stock” feature that parses XML input and returns any unexpected values in the response.
The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.
To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server’s IAM secret access key from the EC2 metadata endpoint.
Solution
- Visit a product page, click “Check stock”, and intercept the resulting POST request in Burp Suite.
- Insert the following external entity definition in between the XML declaration and the
stockCheckelement:
3. Replace the productId number with a &xxe;.
4. This makes a reference to the Entity we used on payload and displays the /etc/passwd
5. Now you will able to see a word/path in the response
6. suffix the path at the end of the URL as here http://169.254.169.254/latest in the repeater and again repeat the process till you get the Secret Key
Repeat the request with the path we found on Each response
- http://169.254.169.254/
- http://169.254.169.254/latest/
- http://169.254.169.254/latest/meta-data/
- http://169.254.169.254/latest/meta-data/iam/
- http://169.254.169.254/latest/meta-data/iam/security-credentials/
- http://169.254.169.254/latest/meta-data/iam/security-credentials/admin
If you would like to support me so that I could create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ngTelegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials
