# Week 56 - Cloud SSRF PrivEsc

Picture this: you discover Cloud SSRF on an [#AppSec](https://www.linkedin.com/feed/hashtag/?keywords=appsec\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7039254102492504065) engagement, and you’re staring at a set of access keys. If you’re anything like me, you’ll be thinking: now what?? In this post, I will document how to turn those keys into AWS Admin and RCE!\
&#x20;\
Most of the time with Cloud SSRF, you’ll be dealing with an AWS environment. This is because Google Cloud and Azure by default require a custom header to be passed in the SSRF request, which means that unless you can specify a custom header for the server to use, you will be SOL. \*Interestingly to note, metadata SSRF can also be prevented in AWS by switching from IMDSv1 to IMDSv2\
&#x20;\
Once you pull those access keys, the first step is to figure out what permissions they have associated with them. This can be done through two amazing tools: enumerate-iam and pacu (linked in comments). I will cover enumerate-iam first since it’s easier and has a lower learning curve. You can run it like this:\
&#x20;\
`python3 enumerate-iam[.]py –access-key [access_key_here] –secret-key [secret_key_here] –session-token [session_token_here]`\
&#x20;\
It will then go through and enumerate the permissions associated with the access key. Some dangerous permissions that could be used to further the severity are:\
&#x20;\
s3:ListBuckets => List out S3 buckets, probably some sensitive info in there\
iam:PassRole and ec2:RunInstances => create ec2 instance and pass an existing role to it. Then you have RCE on an OS in the AWS environment\
iam:PutGroupPolicy or iam:PutUserPolicy => attach policy with higher permissions to your own group/role\
iam:CreatePolicyVersion => create a new version of your policy with higher permissions\
iam:AddUserToGroup or iam:CreateAccessKey => add your user to a group with higher permissions\
&#x20;\
If you are lazy like me, you can automate this with aws\_escalate\[.]py (linked in comments).\
&#x20;\
Now onto Pacu. I like to call this tool the Metasploit of the cloud. It can have a steeper learning curve, but there is so much you can do with it once you get comfortable. Once setup, you can run the following module:\
&#x20;\
`run iam__bruteforce_permissions`\
&#x20;\
This will spit out your permissions associated with the access key. Say you don’t have Admin access. Just run the following module in Pacu:\
&#x20;\
`run privesc_scan`\
&#x20;\
If Pacu finds a PrivEsc route, it will automatically make you an Administrator. Doesn’t get much easier than that!\
&#x20;\
If you found this informative, please hit me with a re-post! I’m hoping to get to 10k followers here soon!

![](/files/A3VgO3kCe19MbvLBj706)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-56-cloud-ssrf-privesc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.