IMDS Exploration

TerminalWalk-through

Details

• Location: FrostFest/Jack's Executive Restroom
• Troll: Noxious O. D'or

Troll's Objective Message

Hey, this is the executive restroom. Wasn't that door closed?

I’m Noxious O’Dor. And I’ve gotta say, I think that Jack Frost is just messed up. I mean, I'm no expert, but his effort to "win" against Santa by going bigger and bolder seems bad. You know, I’m having some trouble with this IMDS exploration. I’m hoping you can give me some help in solving it. If you do, I’ll be happy to trade you for some hints on SSRF! I’ve been studying up on that and have some good ideas on how to attack it!

This terminal is located in Jack's Executive Restroom at FrostFest. Solving this terminal challenge provides additional hints for objective 10. To view the hints for this terminal challenge use the menu on the left.

This terminal challenge is a tutorial for the IMDS services. This challenge consists of multiple puzzles. The puzzles walk you through what you need to do. Here are the answers for the first set of puzzles:

IMDSv1 Answers

ping 169.254.169.254

next

curl http://169.254.169.254/latest

curl http://169.254.169.254/latest/dynamic

curl http://169.254.169.254/latest/dynamic/instance-identity/document

curl http://169.254.169.254/latest/dynamic/instance-identity/document | jq

curl http://169.254.169.254/latest/meta-data

curl http://169.254.169.254/latest/meta-data/public-hostname

curl http://169.254.169.254/latest/meta-data/public-hostname;echo

curl http://169.254.169.254/latest/meta-data/iam/security-credentials;echo

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/elfu-deploy-role;echo

For IMDSv2 part of this challenge you need to examine gettokens.sh. Running the command cat gettokens.sh will show the following:

As the walk-through states:

Quote

This script will retrieve a token from the IMDS server and save it in the environment variable TOKEN. Import it into your environment by running 'source gettoken.sh'. Now, the IMDS token value is stored in the environment variable TOKEN. Examine the contents of the token by running 'echo $TOKEN'.

Run the following commands to complete this challenge:

IMDSv2 Answers

source gettoken.sh

echo $TOKEN

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region