IMDS XXE and Other Abbreviations
Difficulty:
Shown in Report
Alabaster Snowball is standing in the very dark.
Objective Image
Back
Challenge

The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?

Solution

Let's open up Wireshark again. As we know the destination must be ip 18.222.86.32 (seen in the challenge before). The attacks started at frame nr. 7229 and the "login failed"-frame has a fixed size of 742 byte. So everything else should be a good match. We set following filter:

ip.dst_host == "18.222.86.32" and  http.response.code == 200 and frame.len != 742 and frame.number > 7229

We select the first entry and right-click -> follow -> HTTP stream:

GET /proc HTTP/1.1
Host: www.toteslegit.us
...
HTTP/1.1 200 OK

So the first successful URL tried is /proc.

We get following hints:

Instance Metadata Service

AWS uses a specific IP address to access IMDS, and that IP only appears twice in this PCAP.