I was looking for a copy of the new TeamTNT worm since it's written in bash, and I noticed that while it mines credentials out of ~/.aws directories, it doesn't use the Amazon metadata service hack. I always love/hate watching companies entrench bad design decisions. Microsoft is a major culprit, however Amazon has done the same thing with it's unauthenticated metadata service.
I used to think this service was pretty much ornamental. It was a url that would tell you things about the machine you're on when you query it (like the serial number). It didn't even give great information,; you can't use it to get useful names for volumes for example. It only uses your source ip address to verify that you're allowed access to that information. As it turns out, they also use it to implement a snazzy feature. In AWS you can attach AWS permissions to various kinds of objects. That way you can give a machine (or lambda function) automatic access to an AWS resource without having to code it into your application. It's actually completely necessary for lambda functions.
Anyway AWS decided to make this functionality work via the metadata service url. What happens is their librarys for interacting with AWS stuff calls out to the metadata service, gets a temporary set of credentials, and then uses them normally. The problems with this were brought to light with the Capital One hack - a hacker used the feature that lets you specify your credit card's background picture to call the metadata service and download temporary credentials to access Capital One's AWS account.
Whoops! Anyway, since this issue isn't going to go away soon, everyone should know about it. A fairly rambling but entertaining book about leveraging this sort of this is spark FLOW - Hack Like A Ghost (https://www.amazon.com/gp/product/B0852RCVTC?ref_=dbs_m_mng_rwt_calw_7&storeType=ebooks).
In other news I keep on seeing people use Hetzner Online GmbH as an offshore datacenter, and Hack the Box is lots of fun. Just cheat slightly when they expect you to know something completely non-obvious, like an existing password that's not in a text file called user.txt or something like that. The ones I've done are mostly web-app security, and are not too hard once you know how they like to set things up. I even painfully went through a windows challenge with a walk-through and I'm quite a bit more educated for having done so. (You know what bugs me about windows? You do something one way and it works, and you do it another way that should be completely equivalent and it doesn't. Why does it work one way and not the other? Fuck me if I know, ask a Windows admin).
Picture is from https://posts.slayerlabs.com/double-hop/