Userdata

How does one read identity metadata service for SSRF attacks? We can use the following format to query the identity metadata service:

http://169.254.169.254/latest/user-data

This URL will contain userdata if it exists. If it does not exist, it would return a 404. The scripts that are found sometimes contain passwords. For example, take the following script:

curl --user sec588:sec588 http://www.targetsite.com/

Here we have a username and password in clear text! We have also found other interesting strings. For example, if Elastic Kubernetes Service is in use, but you do not know the External API Name, querying the userdata service of a worker node will reveal it. Below is an example of the string. Notice that both the valid base64 encoded certificate and the API IP will be known to you the attacker if you can read userdata.

#!/bin/bash

set -ex B64_CLUSTER_CA=LpNKQo= API_SERVER_URL=https://E4E62651A988575B6D08D123576B5330.gr7.us-east- 1.eks.amazonaws.com K8S_CLUSTER_DNS_IP=172.20.0.10 /etc/eks/bootstrap.sh