Discovering and Abusing Google Storage - GCS

Introduction

Google Cloud buckets is a storage service by Google. Any kind of file. Permissions can be then given per object and per bucket.

Buckets contain objects which can be accessed by their own methods. In addition to the acl property, buckets contain bucketAccessControls, for use in fine-grained manipulation of an existing bucket's access controls.Most often than not, Google Cloud buckets have been discovered with weak permissions on individual objects or the entire buckets itself. Files and folders which should not be public are made world readable and available to the world for inspection.

What are we going to cover?

This chapter covers the common attacks that can occur on misconfigured buckets and data leak that can occur due to this.

Steps to setup lab

We going to use the google cloud console to create this vulnerable lab environment.

1. Open your browser & login to your google cloud console account.

2. In the Google Cloud console, go to the Cloud Storage Buckets page.

3. On the Create a bucket page, enter your bucket information. To go to the next step, click Continue

• For Name your bucket, enter a name that meets the bucket name requirements with demo-bucket-$GCLOUD_PROJECT.

• For Choose where to store your data, select a multi region where the bucket data will be permanently stored.

• For Choose a default storage class for your data. The default storage class is standard assigned by default to all objects uploaded to the bucket.

• For Choose how to control access to objects, select Fine-grained Access control model for your bucket's objects.

• For Choose how to protect object data, Select it to none since we are making the intentionally vulnerable bucket. Now, click on create

• Once, Once the bucket is created. Navigate to the Permissions section. Click on add, select the role as Storage Admin & Principle for AllUsers.

• Since we have created a vulnerable bucket, it's time to add the bucket name to wordlist.txt

Now, open a terminal on the hacker machine and perform the following steps

echo <BUCKET-NAME> >> tools/wordlist.txt

• If you see any error, please inform one of the trainers

We will use the following dictionary to search for Google Cloud buckets

Steps to attack

We will use the custom wordlist for the CloudBrute, which is available in tools section

Open Terminal and navigate to the ~/tools/cloudbrute folder

Now, you can run the command to start searching the open buckets in the Google Cloud.

./cloudbrute -d domain -k keyword -m storage -c google -o interesting_file.txt -w wordlist-file

Kill the script once it reaches the end of the file and is stuck.

To see the results, open the interesting_file.txt to see the discovered content.

Did you find anything interesting in the bucket(s)?

CloudBrute - DEMO

Here this tool is going to help us to find the Google Cloud buckets which are open to public.

./cloudbrute -d appsecco -k nulltest -w wordlist.txt -m storage -c google -o interesting_file.txt

Additional exercise - Writing data to a bucket

Copy the data in the public bucket to local

gsutil cp -r gs://[bucket] .

For example

gsutil cp -r gs://nulltest007 .

Accessing publicly accessible Google Cloud Bucket via an endpoint.

http://BUCKET_NAME.storage.googleapis.com/OBJECT_NAME

or

http://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME

Additional references

• CloudBrute

• Wild hunt on clouds