Skip to content

IMDS, XXE and other abbreviations

IMDS, XXE and other abbreviations               Web Ring               A picture containing clipart Description automatically generatedAlabaster Snowball

A picture containing text Description automatically generated

Text Description automatically generated

Hint :
AWS uses a specific IP address to access IMDS, and that IP only appears twice in this PCAP.

 

Open victim.pcap in Wireshark and put a filter to get only HTTP requests and dest ip as AWS EC2 Metadata service IP 169.254.169.254

 
http && ip.dst==169.254.169.254

Graphical user interface, application, table, Excel Description automatically generated

Right click on the last instance and select Follow > HTTP Stream for the below URL
/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance HTTP/1.0

Text Description automatically generated with medium confidence

Answer : http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Upon submitting the answer the objective is now completed and we get 10 coins as well