🥷 CloudGoat: Data Secrets: Write-up: Exploiting EC2 User Data and IMDS to escalate privileges

🥷 CloudGoat: Data Secrets Write-up: Exploiting EC2 User Data and IMDS to escalate privileges 🧭 Overview Scenario: data_secrets \ Platform: CloudGoat (Rhino Security Labs) \ Tools: Pacu + AWS CLI + SSH \ Objective: Steal credentials through EC2 User Data, leverage IMDS to escalate, enumerate Lambda functions, and retrieve the flag from Secrets Manager. ⚔️ Attack Path Summary Limited User → EC2 Enum → User Data Leak → SSH Access → IMDS Token Theft → Lambda Enum → DB Credentials → Secrets Manager → Flag 🔑 Phase 1: Initial Access Configure Profile aws configure --profile data_secrets # Access Key: AKIA**************** # Secret Key: dHQo/hANNyGHxSCBhOmN******************** Validate Credentials aws sts get-caller-identity --profile data_secrets { "UserId" : "AIDA****************" , "Account" : "7912********" , "Arn" : "arn:aws:iam::7912********:user/cg-start-user-cgido7xwddyilh" } 🔎 Phase 2: IAM Enumeration Launch Pacu and Import Keys pacu Pacu > import_keys data_secrets Enumerate Permission