CWL - Compute Engine Intrusion

Recon

Upon browing to our target we can see the directory listing enabled

Looking at job_search.html we can see that we get a response from submitting some data, let us observe the request and response in burp

Pretty standard POST request, observe the ip parameter that we can use to test for SSRF

Roadblock for SSRF

We can access the GCP instance metadata endpoint using:

• http://169/254/169/254
• http://metadata.google.internal
• http://metadata

It works, we can keep appending the paths that appear in output until /v1 that we cannot see anymore paths appear

Apparently, to access the available metadata endpoints we need to add a HTTP header Metada-Flavor with the value set to Google

Command Injection

After testing, we discover the organization parameter is vulnerable to Command Injection which we can execute code

Chaining vulnerabilities

Leveraging the Command Injection, we can curl and add the required Metadata-Flavor then freely access the GCP intance metadata

The command would be:

curl -H "Metadata-Flavor:Google" "http://metadata.google.internal/computeMetadata/v1/"

To access the Service Accounts Email IDs we use this path:

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/

Sources

• https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html#gcp-pentesterred-team-methodology
• https://docs.cloud.google.com/appengine/docs/legacy/standard/java/accessing-instance-metadata
• https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp