In a red team exercise against a company's cloud infrastructure, you discover that the Elastic Compute Cloud (EC2) instances are configured to allow any attached role to access the instance metadata service without restrictions. With this misconfiguration in mind, what sophisticated technique should be used to carry out an attack that leverages the instance metadata service to gain escalated privileges within the cloud environment?
Perform a VLAN hopping attack to bypass network segmentation and access the metadata service from a compromised instance within the same VLAN.
Use NTLM relay attacks to capture authentication details and replay them against the metadata service for escalated cloud privileges.
Engage in Kerberoasting to steal Kerberos tickets from the EC2 instances and gain access to the metadata service.
Execute a Direct-to-Origin attack by accessing the instance metadata service directly to retrieve security credentials for IAM role escalation.