SSRF

After getting access to the environment and finding a cloud container doing a basic enumeration, I discovered it is vulnerable to SSRF. Notice in image 1-1 a directory named metadata-db possibly has sensitive information stored there.

Figure 1-1

In figure 1-2 there’s a directory named latest which could mean a version of the container or something involving metadata update.

Figure 1-2

The highlighted text in figure 1-3 shows a directory named secrets which could contain secret keys for the container and gain full control of the container.

Figure 1-3

Figure 1-4

After i get entered in the kubernetes -goat file which i found in shown in figure 1-4. we get the hash of the container which is shown in figure 1-5

Figure 1-5

We can also echo the hash found in kubernetes goat file and decrypt to be readable.

Save for further exploitation if we so choose.

Figure 1-6

How to prevent SSRF in the cloud

OWASP has a great resource and suggestions to prevent hackers to get data or full control of your cloud environments.
https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_(SSRF)/

SSRF

SSRF

How to prevent SSRF in the cloud

Share this:

Leave a comment Cancel reply