This is the second video in the GCP series which showcases the Gopher SSRF scenario at https://pwnedlabs.io/labs/exploit-ssrf-with-gopher-for-gcp-initial-access.
This scenario involves the exploitation of a web application using an SSRF vulnerability to obtain the GCP credentials from the web server’s metadata. After obtaining the credentials, we access a storage bucket that the application interacts with to obtain sensitive data.
00:00 - Video context
01:00 - Discovering SSRF vulnerability
06:50 - Obtaining GCP credentials
18:17 - Accessing the storage bucket
22:01 - Post-compromise analysi
The first video in the GCP series features a scenario where participants are provided with a URL leading to a misconfigured storage bucket serving image files, prompting them to fuzz potential files, discover a backup zip file due to the entity being set to "Public" with "allUsers" granted Reader access, and completing the challenge by decrypting the zip file.
The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users, and exploited this AWS environment in two different ways.
We gain access to the targeted AWS account by finding an SSRF and RCE vulnerability on an AWS-hosted webapp. We then pivot to other containers and use the metdata credentialso f both the compromised EC2 instance and other docker containers to obtain elevated access within the AWS workload.
