# Discovering and Abusing Google Storage - GCS

## Introduction

Google Cloud buckets is a storage service by Google. Any kind of file. Permissions can be then given per object and per bucket.

Buckets contain objects which can be accessed by their own methods. In addition to the acl property, buckets contain bucketAccessControls, for use in fine-grained manipulation of an existing bucket's access controls.Most often than not, Google Cloud buckets have been discovered with weak permissions on individual objects or the entire buckets itself. Files and folders which should not be public are made world readable and available to the world for inspection.

## What are we going to cover?

This chapter covers the common attacks that can occur on misconfigured buckets and data leak that can occur due to this.

## Steps to setup lab

We going to use the google cloud console to create this vulnerable lab environment.

1. Open your browser & login to your google cloud console account.
2. In the Google Cloud console, go to the [Cloud Storage Buckets](https://console.cloud.google.com/storage/browser) page.
3. On the Create a bucket page, enter your bucket information. To go to the next step, click Continue

* For Name your bucket, enter a name that meets the bucket name requirements with `demo-bucket-$GCLOUD_PROJECT`.
* For Choose where to store your data, select a `multi region` where the bucket data will be permanently stored.

![](/files/JBY6FO6QSuODA6Jjt8bA)

* For Choose a default storage class for your data. The default storage class is `standard` assigned by default to all objects uploaded to the bucket.
* For Choose how to control access to objects, select `Fine-grained` Access control model for your bucket's objects.

![](/files/6k2HMP042rPsmplSEZNs)

* For Choose how to protect object data, Select it to `none` since we are making the intentionally vulnerable bucket. Now, click on `create`

![](/files/FffIqG2VE1fXLJwNA59H)

* Once, Once the bucket is created. Navigate to the `Permissions` section. Click on `add`, select the role as `Storage Admin` & Principle for `AllUsers`.
* Since we have created a vulnerable bucket, it's time to add the bucket name to `wordlist.txt`

Now, open a terminal on the hacker machine and perform the following steps

`echo <BUCKET-NAME> >> tools/wordlist.txt`

* If you see any error, please inform one of the trainers

We will use the following dictionary to search for Google Cloud buckets

## Steps to attack

We will use the custom wordlist for the `CloudBrute`, which is available in tools section

Open Terminal and navigate to the `~/tools/cloudbrute` folder

Now, you can run the command to start searching the open buckets in the Google Cloud.

```
./cloudbrute -d domain -k keyword -m storage -c google -o interesting_file.txt -w wordlist-file
```

Kill the script once it reaches the end of the file and is stuck.

To see the results, open the `interesting_file.txt` to see the discovered content.

Did you find anything interesting in the bucket(s)?

### CloudBrute - DEMO

Here this tool is going to help us to find the Google Cloud buckets which are open to public.

`./cloudbrute -d appsecco -k nulltest -w wordlist.txt -m storage -c google -o interesting_file.txt`

![](/files/mLn9VzdIdOiyLFMn8lf1)

## Additional exercise - Writing data to a bucket

Copy the data in the public bucket to local

`gsutil cp -r gs://[bucket] .`

For example

`gsutil cp -r gs://nulltest007 .`

Accessing publicly accessible Google Cloud Bucket via an endpoint.

`http://BUCKET_NAME.storage.googleapis.com/OBJECT_NAME`

or

`http://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME`

## Additional references

* [CloudBrute](https://github.com/0xsha/CloudBrute)
* [Wild hunt on clouds](https://0xsha.io/blog/introducing-cloudbrute-wild-hunt-on-the-clouds)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xcriminal.gitbook.io/about-me/cloudsec/cloud-storage-with-google-cloud/cloud-storage/discovering-abusing-gcs-misconfigurations.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.