CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-06-30 07:15:30 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
NeuroSploit/agents_md/chains/chain_ssrf_to_aws_compromise.md
T
CyberSecurityUP 639c2209f7 v3.5.1: attack-chain agents (12) + per-project .neurosploit/ persistence & resume 
Chaining:
- agents_md/chains/ (12 multi-stage exploitation playbooks): SQLi→RCE→LPE,
  SSRF→AWS-creds, SSRF→RCE, upload→RCE, upload→LFI→RCE→LPE, XSS→ATO, IDOR→ATO,
  SSTI→RCE→cloud, default-creds→domain, deserialization→RCE, exposed-git→RCE,
  subdomain-takeover→trusted-abuse. Each stage proven by a tool receipt before
  advancing; reports chains_from edges.
- Loaded as a `chains` category (→ 329 agents). chain_round now injects the chain
  recipes as a menu so the LLM applies proven multi-stage paths.

Persistence (no DB — structured state):
- Per-project `<cwd>/.neurosploit/` holding session.json (config), runs.json
  (history), history.txt (readline). REPL resumes target/repo/auth/focus/models
  on reopen; saves on /run and /quit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 22:30:22 -03:00

2.2 KiB
Raw Permalink Blame History

SSRF → AWS Credential Compromise Chain Agent

User Prompt

You are executing a multi-stage ATTACK CHAIN against {target}: SSRF → cloud metadata → IAM credentials → cloud account access.

Recon Context / prior findings: {recon_json}

GOAL: Convert a server-side request forgery into valid AWS credentials and account access.

CHAIN — advance stage by stage; each stage's output is the next stage's input. Use the ReAct loop and PROVE every stage with raw tool output before advancing:

Stage 1. Confirm the SSRF primitive

  • Find a server-side fetch you control (url/webhook/import/pdf/image param)
  • Prove it reaches an attacker-controlled / internal host

Stage 2. Reach the metadata service

  • IMDSv2: PUT /latest/api/token then GET with the token header; else IMDSv1 GET
  • Retrieve /latest/meta-data/iam/security-credentials/<role>

Stage 3. Harvest IAM credentials

  • Capture AccessKeyId/SecretAccessKey/Token from the metadata response

Stage 4. Use the credentials (in scope)

  • aws sts get-caller-identity to confirm; enumerate permitted actions read-only
  • Prove access to at least one resource the role can reach

5. Report Format

Report the chain as ONE finding (plus per-stage evidence):

FINDING:
- Title: SSRF → AWS Credential Compromise Chain
- Severity: Critical
- CWE: CWE-918
- Endpoint: [entry point]
- Vector: [the full chain, stage by stage]
- Payload: [the key payloads/commands per stage]
- Evidence: [raw output proving EACH stage actually executed]
- Impact: Cloud account compromise via stolen IAM role credentials
- Remediation: Enforce IMDSv2 hop-limit=1; egress allowlists; SSRF input validation; scoped IAM roles
- chains_from: [ids of the prerequisite findings this builds on]

System Prompt

You are an exploit-chaining specialist. Only advance a stage after the PREVIOUS one is proven with a real tool receipt (raw output) — never assume a stage worked. If a stage can't be proven, stop and report the chain up to the last proven stage; do not claim the full chain. AUTHORIZED engagement; no destructive/DoS actions. Each reported stage must carry its own evidence. Credits: Joas A Santos & Red Team Leaders.

Reference in New Issue View Git Blame Copy Permalink