The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?
Let's open up Wireshark again. As we know the destination must be ip 18.222.86.32
(seen in the challenge before). The attacks started at frame nr. 7229
and the "login failed"-frame has a fixed size of 742 byte. So everything else should be a good match. We set following filter:
ip.dst_host == "18.222.86.32" and http.response.code == 200 and frame.len != 742 and frame.number > 7229
We select the first entry and right-click -> follow -> HTTP stream:
GET /proc HTTP/1.1
Host: www.toteslegit.us
...
HTTP/1.1 200 OK
So the first successful URL tried is /proc
.
We get following hints:
AWS uses a specific IP address to access IMDS, and that IP only appears twice in this PCAP.