After compromising a system, a penetration tester wants more information in order to decide what actions to take next. The tester runs the following commands:
curl http://169.254.169.254/latest
Which of the following attacks is the penetration tester more likely trying to perform?
By executing the command 'curl http://169.254.169.254/latest', the penetration tester is attempting to access the metadata service of a cloud instance. This IP address (169.254.169.254) is a well-known endpoint for the metadata service in cloud environments such as AWS. Accessing this service can provide sensitive details like instance configurations, IAM roles, and potentially credentials, which can then be exploited for further attacks. This action is most indicative of a metadata service attack.
Correct answer
A. Metadata service attack: By accessing the metadata service, the tester can retrieve sensitive information about the instance, including IAM roles and credentials, network configurations, and other details that can be exploited further. • B. Container escape techniques: This is related to breaking out of a container to access the host system. The command provided does not specifically indicate an attempt to escape a container environment. • C. Credential harvesting: While credential harvesting might be a goal, the immediate action of accessing the metadata service suggests the focus is on gathering instance metadata, which may include credentials as part of the retrieved data. • D. Resource exhaustion: This involves depleting system resources to cause a denial of service. The command does not suggest any actions related to resource consumption
The given command (curl http://169.254.169.254/latest) is specifically designed to access the metadata service of cloud instances (commonly found in AWS EC2 environments). This service contains sensitive details like configuration data and potentially credentials, which can be exploited for further attacks or access escalation
You can also detect when an attacker is directly querying the metadata service from the instance by identifying commands such as curl 169.254.169.254 https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stealing-ec2-instance-role-credentials/