We start off as a low-privileged user who can perform IAM Get and IAM List on all resources. In addition, this user can assume a role which has lambda:* and iam:PassRole on all resources. Using this permission, it was possible to create a function with another role that had AdministratorAccess attached to it. Therefore, we were able to attach AdministratorAccess on the low-privileged user.
00:00 - Video Context
01:16 - Enumerating User Permissions
03:46 - Enumerating roles
08:05 - Identifying exploitation path and assuming lambaManager role
11:29 - Creating lambda function exploit
17:51 - Running exploit with lambda:Invoke
The second video in the GCP series in which the threat actor must leverage an SSRF vulnerability to exploit a misconfigured application. The application supports the gopher protocol which can be abused to query the metadata service.
The first video in the GCP series features a scenario where participants are provided with a URL leading to a misconfigured storage bucket serving image files, prompting them to fuzz potential files, discover a backup zip file due to the entity being set to "Public" with "allUsers" granted Reader access, and completing the challenge by decrypting the zip file.
The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users, and exploited this AWS environment in two different ways.
