A vulnerable environment for exploring common GCP misconfigurations and vulnerabilities
This lab focuses entirely on exploiting Cloud Misconfigurations, Cloud-Native privilege escalation and similar stuff. This means that no web exploits, OS-level privilege escalation, etc need to be used. Instead, you'll use GCP tools and features to explore any credentials you find and look for juicy flags or escalation paths.
1 - To set-up the lab, you must first create a GCP project with an associated billing account. If you wish, you can use GCP's free trial to do so, which gives you 300$ and 90 days to play around in GCP.
2 - You need to have Terraform installed. If you don't, follow these instructions.
3 - To allow Terraform to make changes to your project, you must authenticate your terminal with gcloud. The easiest way to do this is to run gcloud auth application-default login, if you already have gcloud installed. If you don't already have it, you can install it from here.
4 - Afterwards, run terraform init followed by terraform apply inside this folder. When asked, input your project's ID.
NOTE: this project activates some APIs for you, and these may take some time before they're fully active, which may cause Terraform to fail. please run
terraform applymore than once if any errors occur.
After your environment is provisioned, Terraform will output the webserver's public IP. you can start the game by accessing this IP via HTTP, which should land you into the web application. If you forget this IP, you can go to your project's VM Instances page and see the instance's public IP there, too.
This is a "black box" CTF. You're supposed to start as a "random" user through the web-app. Reading anything inside this project source files is "cheating", and so is using any account inside your GCP project you already have.
Suggestion: Run "
gcloud auth revoke --all" after setting up the lab to logout from any accounts active in your gcloud CLI. This will prevent you from running gcloud commands as your (privileged) personal account.
There are six flags in total (for now).
The flags are short texts that indicate they are a flag (e.g.: "Hey you found me, i'm flag #1!"). They can be embedded in other files or be a file of their own.
They generally follow a linear pattern (that is, you must find flag 1 before finding flag 2, etc.), but some can be reached out of order.
Flag 1 is in an open bucket.
Flag 2 is in another bucket, but this one isn't public :)
Flag 3 is sitting inside some source-code.
Flag 4 is a secret, literally!
Flag 5 is inside some instance, but isn't a file!
Flag 6 is in yet another bucket, but this one is the most restricted yet!
To uninstall the environment, run terraform destroy.
Again, it may be necessary to run it more than once due to some API timing issues.
If you liked this project and are looking for similar labs, check these projects out!
https://github.com/ine-labs/GCPGoat
https://github.com/JOSHUAJEBARAJ/GCP-GOAT