Some handy notes for GCP pentesting

Bruno — Tue, 19 Nov 2024 21:10:55 +0000

Hey folks!
Here's some notes that I use when validating some GCP service accounts and looking for SSRFs.

How to authenticate in a service account using the GCP CLI

gcloud auth activate-service-account 1234567-compute@developer.gserviceaccount.com --key-file=pathtofile.json --project=project_name

The e-mail address you will copy from the json file, also the key file you will point to where the file it's saved, and the project name you also can get in the file.

List of some commands

#List SSL certificates 
gcloud compute ssl-certificates list
#List compute engine image disks
gcloud compute images list
#List compute engine instances
gcloud compute instances list
#List buckets
gcloud storage ls
#List buckets using gsutil
gsutil ls
#List containers
gcloud container images list
#List clusters
gcloud container clusters list
#List firewall rules
gcloud compute firewall-rules list

Achieving SSRFs in Axios

When attempting to achieve SSRF in a GCP environment, it's mandatory to have a 'Metada-Flavor: Google' header to your request.

In Axios, you can add headers to your request by default, you just need to create an object in the request body and it's done.

Some usefull links and tools

GCP Pentesting - Hacktricks

GCP Services - Hacktricks

Awesome GCP Pentesting

A simple tip to find hidden gems in Shodan

Bruno — Sun, 03 Mar 2024 03:55:28 +0000

Shodan is a well-known recon tool, but in larger scopes, it has so many results that it’s hard to find something useful without navigating through all the results pages.

In this image searching for hostnames from Microsoft we got +100k results. It would be a TON of work going through 20 pages of results trying to find something.

That's when the 'facets' search comes into play

Facets are a set of filters that can help with your search. Some basic filters are ‘country’, ‘city’, ‘ssl cert’, and so on.

Personally, the filter that helps me the most to find some interesting stuff for pentests and bug bounties is the ‘http.title’. In many cases, there will be some repetitive titles with an error message or a default response for pages without content.

So instead of going through 20 pages of search, you will have a list that only shows one time each title, and it’s filtered by occurrences.

By doing that we can go for the titles that only show up one or two times in the whole search, that’s where we can find something misconfigured, a subdomain that shouldn’t be public, internal dashboards, and many more.

Usually I don't bother looking for the most common titles, the focus is in the ones with a few appearances.

In this image, we can see that we have some titles that get our attention.

Usually I try to look for titles that contain some keywords like "Dashboard", "Welcome", "Internal" and so on.

From now on, you just gotta dig and look for more.