Google Cloud VM Instances

Introduction

Google Cloud provides secure and customizable compute service that lets you create and run virtual machines on Google’s infrastructure. Google cloud VMs provide scale-out workloads for best price-performance as compared to general-purpose VMs, useful for most demanding applications and workloads

What we are going to cover?

We will setup a target VM instance that will host a vulnerable application and exploit the app to gain access to service account credentials.

Steps to setup lab

Note: Setting up VMs in Google cloud will incur cost, however this is covered under the free credits that you have when you signed up to Google Cloud.

An image has been pre-created for the purpose of this lab. This image needs to be imported to your account and a vm instance needs to be created from it.

Before beginning, verify that you are using the correct account and project via gcloud cli

Verify account - gcloud auth list
Verify project - gcloud config get project

Please let the trainer know, or run the gcloud config commands to set these values correctly before proceeding.

1. Copying the VM Image to your account

Run the following command in a student machine terminal to import the image to your account

gcloud compute images create gcloud-target-vm-nullcon-image --source-uri gs://artifacts-cloudsecurity-training-nullcon/vm-images/gcloud-target-vm-nullcon-image.tar.gz

Once the command has completed, you can see the image created in your account at https://console.cloud.google.com/compute/images?tab=images

2. Creating the VM from an Image

Export some variables to setup the command

export GCLOUD_PROJECT=$(gcloud config get project)
export GCLOUD_PROJECT_NUMBER=$(gcloud projects list --format json --filter=projectId:$GCLOUD_PROJECT | jq .[].projectNumber | cut -d '"' -f2)
export DEFAULT_VM_SA=$GCLOUD_PROJECT_NUMBER-compute@developer.gserviceaccount.com

Run the following commands in a student machine terminal to create a VM from the image that was just copied

gcloud compute instances create gcloud-target-vm-nullcon --project=$GCLOUD_PROJECT --zone=us-central1-a --machine-type=e2-micro --network-interface=network-tier=PREMIUM,subnet=default --maintenance-policy=MIGRATE --provisioning-model=STANDARD --service-account=$DEFAULT_VM_SA --scopes=https://www.googleapis.com/auth/cloud-platform --tags=http-server --create-disk=auto-delete=yes,boot=yes,device-name=gcloud-target-vm-nullcon,image=projects/$GCLOUD_PROJECT/global/images/gcloud-target-vm-nullcon-image,mode=rw,size=10,type=projects/$GCLOUD_PROJECT/zones/us-central1-a/diskTypes/pd-balanced --reservation-affinity=any

Note down the external IP printed on screen.
Updating the policy for lab exercises

gcloud projects add-iam-policy-binding $GCLOUD_PROJECT --member "serviceAccount:$DEFAULT_VM_SA" --role "roles/resourcemanager.projectIamAdmin" > /dev/null

3. Restricted access to Attacker Machine

Remember, this is a deliberately vulnerable app and should not be run on production or facing the Internet. The vulnerability in here does not require any authentication or complex payloads to be exploited.

Run the following command to open port 80 on the Google Cloud Network firewall to allow traffic from the Attacker Machine in AWS

gcloud compute --project=$GCLOUD_PROJECT firewall-rules create allow-http-from-attacker --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:80 --source-ranges=$cloudhackerip/32 --target-tags=http-server

Navigate to the external IP address via Firefox using an SSH tunnel to the attacker machine.

4. Creating Storage Objects to test exfiltration

We need to set up some storage buckets to test token validity and demonstrate exfiltration. Usually this would already be present on target accounts. Run the following commands to setup some storage objects in the target gcloud account. Run the commands one after the other.

gcloud alpha storage buckets create gs://production-data-$GCLOUD_PROJECT

gcloud alpha storage buckets create gs://customer-reports-$GCLOUD_PROJECT

wget https://access-appsecco-training.s3.amazonaws.com/gs-production-data/DataStoreThickClient.zip -O /tmp/DataStoreThickClient.zip

unzip /tmp/DataStoreThickClient.zip -d /tmp/ >/dev/null

gcloud alpha storage cp /tmp/DataStoreThickClient/* gs://production-data-$GCLOUD_PROJECT --gzip-in-flight-all --recursive

wget https://access-appsecco-training.s3.amazonaws.com/gs-customer-reports/customer-reports.zip -O /tmp/customer-reports.zip

unzip /tmp/customer-reports.zip -d /tmp/ >/dev/null

gcloud alpha storage cp /tmp/customer-reports/* gs://customer-reports-$GCLOUD_PROJECT --gzip-in-flight-all --recursive

Additional Information

No Additional information for this section

PreviousGoogle Cloud VM Instances - Lab setup NextGoogle Credentials and Token Extraction

Last updated 2 years ago

hashtagIntroduction

hashtagWhat we are going to cover?

hashtagSteps to setup lab

hashtag1. Copying the VM Image to your account

hashtag2. Creating the VM from an Image

hashtag3. Restricted access to Attacker Machine

hashtag4. Creating Storage Objects to test exfiltration

hashtagAdditional Information