← LibraryTechnique entry
W-SSRF-IMDSLateral Movement
SSRF → Cloud IMDS
Hit 169.254.169.254 / 100.100.100.200 / metadata.google.internal — recover IAM role / instance creds.
§ Where this technique fits
W-SSRF-IMDS is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.
§ Dossiers chaining this technique
- step 3 / 6
SSRF → IMDS → cloud creds → lateral
An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials.
- step 4 / 6
XXE → SSRF → IMDS → cloud creds
XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery.
§ What commonly comes next
- 01Unsecured Credentialsseen 2×T1552 · Credential Access