Identifying and Cracking Exposed Cloud Storage Backups
In this challenge, we begin by inspecting the web page elements to uncover an internal Google Cloud Storage URL: https://storage.googleapis.com/it-storage-bucket.
1. Initial Enumeration
Attempting to list the bucket contents directly via the gcloud CLI or browser often results in a "Permission Denied" (403) error if listing is disabled, even if individual files are publicly accessible.
To bypass this, we perform directory fuzzing to find specific hidden files. Using the ffuf tool and a targeted backup wordlist, we can identify valid paths.
Command:
ffuf -u https://storage.googleapis.com/it-storage-bucket/FUZZ -w /usr/share/wordlists/backup_files_only.txt -mc 200
The fuzzer successfully identifies a match: backup.7z.
2. Data Exfiltration
Once the file path is confirmed, we exfiltrate the archive to our local machine using the gcloud storage utility.
Command:
gcloud storage cp gs://it-storage-bucket/backup.7z .
3. Cracking the Archive
Since the .7z file is password-protected, we use John the Ripper to perform a brute-force attack. First, we must convert the archive into a crackable hash format.
Step A: Extract the hash
7z2john backup.7z > hash.txt
Step B: Run the cracker
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
The password is found: balance.
4. Retrieving the Flag
With the password in hand, we extract the archive contents.
Command:
7z x backup.7z
After entering the password balance, the archive unlocks to reveal the final flag.
Top comments (0)