SSRF to Pwned on AWS

Hac

20 Dec 202316:56

Summary

TLDRIn this video, the presenter, Hack, explores a Server-Side Request Forgery (SSRF) challenge from B-Lab. He demonstrates how to exploit an SSRF vulnerability to access internal resources, including AWS S3 buckets. Hack uses various techniques such as modifying the host file, running nmap scans, and leveraging AWS CLI commands. He eventually retrieves AWS credentials from metadata and successfully lists the contents of an S3 bucket, uncovering sensitive information like credit card details. The video serves as a cautionary tale about the potential risks of SSRF and the importance of securing cloud services.

Takeaways

😀 The video is a tutorial on exploiting Server-Side Request Forgery (SSRF) vulnerabilities.
🔍 The presenter demonstrates how to use an IP address to redirect to a target domain and suggests editing the hosts file for easier access.
💻 The use of nmap is highlighted for scanning open ports on the target IP while exploring the website.
🔗 The discovery of an S3 bucket and the attempt to list its contents is a key step in the process.
🚀 The video shows how to use 'curl' and AWS CLI commands to interact with the S3 bucket, despite initial failures.
🔑 The presenter finds AWS access credentials through SSRF by accessing metadata and user data, which is a significant security risk.
🔍 The process of obtaining a session token and configuring AWS CLI with the found credentials is detailed.
📁 The video concludes with the successful listing of files in an S3 bucket and the discovery of sensitive information like credit card details (which are noted to be fake for demonstration).
💡 A key lesson is that SSRF can be used not only to access internal applications but also to extract sensitive data from cloud metadata.
👋 The presenter emphasizes the importance of securing cloud environments, especially when it comes to AWS, and thanks the viewers for watching.

Q & A

What is the main focus of the video?
-The main focus of the video is to demonstrate a Server-Side Request Forgery (SSRF) attack on a web application, specifically targeting an AWS S3 bucket.
What is the initial step suggested in the video to simulate the target environment?
-The initial step suggested is to edit the host file to add the IP address with the domain name, which simulates the target environment.
What tool is used in the video to scan the target IP?
-The tool used to scan the target IP is Nmap, which is run in the background while exploring the website.
What does the video suggest to do while the Nmap scan is running?
-While the Nmap scan is running, the video suggests exploring the website to look for potential vulnerabilities or interesting endpoints.
What interesting file is found during the website exploration?
-During the website exploration, 'status.php' is found, which seems to be a URL that might be used for internal checks or pinging services.
What is the significance of the 'A3 Bucket' found in the video?
-The 'A3 Bucket' found is significant because it indicates a publicly accessible AWS S3 bucket, which might contain sensitive information.
What is the potential risk of the publicly accessible AWS S3 bucket as discussed in the video?
-The potential risk of the publicly accessible AWS S3 bucket is that it might contain sensitive data such as credit card details, internal application configurations, or other confidential information.
How does the video attempt to exploit the SSRF vulnerability?
-The video attempts to exploit the SSRF vulnerability by using the 'status.php' endpoint to make requests to various URLs, including internal services and the AWS metadata service.
What AWS CLI command is used in the video to list the contents of the S3 bucket?
-The AWS CLI command used to list the contents of the S3 bucket is 'aws s3 ls'.
What is the importance of obtaining AWS credentials as shown in the video?
-Obtaining AWS credentials is important because it allows the attacker to perform actions on AWS resources, such as listing and downloading files from S3 buckets, which can lead to data breaches.
What is the final outcome of the video in terms of exploiting the SSRF vulnerability?
-The final outcome of the video is successful exploitation of the SSRF vulnerability, leading to the discovery of sensitive information in the AWS S3 bucket and the extraction of AWS credentials.