Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Solve
  • TLDR
  • Reference

Was this helpful?

  1. 2025
  2. Thuderdome

Joining forces as one

PreviousCrossing the great divideNextInfiltrate (open the gate)

Last updated 3 months ago

Was this helpful?

Solve

With the new service account json, lets brute force our permissions again.

Seems like the service account has alot of permissions over compute engine, lets enumerate compute engine to see if theres any interesting information

As our service account name is called automation, lets try and enumerate the automation jumpbox vm.

Within the vm metadata, it contains a credential in plaintext. Lets also add this new password to our existing wordlist.

We are able to then ssh into the automation-jumpbox succesfully.

Enumerating the filesystem, I identify that there is a .config/gcloud folder which contains credentials for another automation account pablo-adm

Lets copy out and bruteforce the permissions on pablo-adm service account.

It seems like pablo-adm has permissions over secretsmanager as well as ability to getIamPolicy.

The clientauthconfig and securityposture/securitycenter are false positive.

We are able to list and get the secrets for WebAdminPassword.

We are also able to get the iam policy of the projects.

Since we have a web admin password, lets try and pivot to the web server with the password.

First lets perform another nmap scan with its public IP address.

Visiting port 8880, we are greeted with another login form. Since we have the password, lets spray the login form with the user list we have but strip of the email. We will also add the new username from the iam enumeration previously to the wordlist.

From the fuzzing output, we have identified a valid user parthaban. Upon authentication, we are given the flag.

TLDR

  • Bruteforce automation service account and identify that it has permissions over compute engine

  • Enumerate compute instances and find plaintext credentials in metadata

  • SSH into the automation jumpbox and enumerate the filesystem

  • Dump the pablo-adm service account json

  • Bruteforce pablo-admin service account permissions

  • Get WebAdminPassword from secretmanager, as well as user listing from IAM

  • Nmap the web server public IP to get the open port and services

  • Fuzz the login form at port 8880 with user list and password from secretmanager

  • Get the flag from the dashboard after login

Reference

NIL

activating the service account
gcloud compute instances list
gcloud compute instances describe automation-jumpbox
SSH connection to automation jumpbox
listing of the .config/gcloud folder
Enumerating secretsmanager
gcloud projects get-iam-policy mp-proj-1-413623