EC2 SSRF - EC2 INSTANCE PORT 80 CLOSED

[Eyilink]

Hi ,

I am not able to correctly attempt the SSRF with the url parameter, when I tried to curl the page I get Failed to connect to x.x.x.x and with an Nmap Scan i actually see that port 80 is closed :

curl http://23.20.79.97/ curl: (7) Failed to connect to 23.20.79.97 port 80 after 94 ms: Couldn't connect to server

nmap -sC -A -T4 23.20.79.97 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-04 15:36 CEST Nmap scan report for ec2-23-20-79-97.compute-1.amazonaws.com (23.20.79.97) Host is up (0.096s latency). Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (port-unreach) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f1:15:19:ca:42:aa:e6:40:51:06:db:62:89:bf:20:5d (RSA) | 256 d6:08:a5:26:ce:6a:43:14:87:c3:73:55:14:b5:75:52 (ECDSA) |_ 256 61:8b:4d:f1:f1:d5:21:f6:9c:33:cb:3c:00:38:bd:06 (ED25519) 80/tcp closed http Device type: general purpose|storage-misc Running (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (91%), Synology DiskStation Manager 5.X (85%) OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6 cpe:/a:synology:diskstation_manager:5.2 Aggressive OS guesses: Linux 3.10 - 4.11 (91%), Linux 3.10 (88%), Linux 5.0 - 5.4 (88%), Linux 2.6.32 - 3.13 (88%), Linux 2.6.39 (88%), Linux 5.1 (87%), Linux 3.2 - 4.9 (87%), Linux 3.4 - 3.10 (87%), Linux 2.6.22 - 2.6.36 (86%), Linux 3.2 - 3.8 (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 5 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.29 ms MSI.mshome.net (172.29.80.1) 2 3.23 ms box (192.168.1.1) 3 ... 4 6.76 ms 45.114.154.77.rev.sfr.net (77.154.114.45) 5 98.88 ms ec2-23-20-79-97.compute-1.amazonaws.com (23.20.79.97)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.11 seconds

I'm stuck there and can't do much more of the scenario , I tried destroying cloudGoat deployment and rereating it without success.

I should have this :

[andrew-aiken]

Getting the same issue deploying from the latest code.

I'll look into fixing it, probably an issue with the User data that populates the instance

[andrew-aiken]

https://aws.amazon.com/blogs/aws/amazon-ec2-instance-metadata-service-imdsv2-by-default/

I believe this may be the root cause, will require an update to the Terraform.

[Eyilink]

https://aws.amazon.com/blogs/aws/amazon-ec2-instance-metadata-service-imdsv2-by-default/

I believe this may be the root cause, will require an update to the Terraform.

I have the same issue to see webcontent of ecs takeover scenario I cant access website I have timeout

[andrew-aiken]

ECS takeover still seems to work for me

From the AWS console what is your IMDSv2 configured as? (optional/required)

[Eyilink]

I have it configured as optional

[cid:372c9698-b21d-4d17-9446-982f104b2c91]

---

De : Andrew @.> Envoyé : lundi 5 août 2024 12:45 À : RhinoSecurityLabs/cloudgoat @.> Cc : Eyilink @.>; Author @.> Objet : Re: [RhinoSecurityLabs/cloudgoat] EC2 SSRF - EC2 INSTANCE PORT 80 CLOSED (Issue #267)

ECS takeover still seems to work for me image.png (view on web)https://github.com/user-attachments/assets/ea69f7d0-cb56-407f-9c41-e38f53ae45a9

From the AWS console what is your IMDSv2 configured as? (optional/required) image.png (view on web)https://github.com/user-attachments/assets/d5839b1b-6328-4591-80ea-1cb6fa947393

— Reply to this email directly, view it on GitHubhttps://github.com/RhinoSecurityLabs/cloudgoat/issues/267#issuecomment-2268989005, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJEYQVZNPSGWCKGZ2F3JZY3ZP5XVRAVCNFSM6AAAAABL63OLVKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRYHE4DSMBQGU. You are receiving this because you authored the thread.Message ID: @.***>

[andrew-aiken]

If the security group configured correctly to your public IP (ifconfig.me)?

[Eyilink]

I solved the issue by using aws-nuke and resetting all to a clean setup.

Thank you for your help.

---

De : Andrew @.> Envoyé : lundi 5 août 2024 14:35 À : RhinoSecurityLabs/cloudgoat @.> Cc : Eyilink @.>; Author @.> Objet : Re: [RhinoSecurityLabs/cloudgoat] EC2 SSRF - EC2 INSTANCE PORT 80 CLOSED (Issue #267)

If the security group configured correctly to your public IP (ifconfig.mehttps://ifconfig.me/)?

— Reply to this email directly, view it on GitHubhttps://github.com/RhinoSecurityLabs/cloudgoat/issues/267#issuecomment-2269230364, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJEYQV4HW3K75WZ4XEI2XA3ZP6ER5AVCNFSM6AAAAABL63OLVKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRZGIZTAMZWGQ. You are receiving this because you authored the thread.Message ID: @.***>

[TeneBrae93]

This is fixed now thanks to @andrew-aiken