Joining forces as one
Last updated
Was this helpful?
Last updated
Was this helpful?
With the new service account json, lets brute force our permissions again.
Seems like the service account has alot of permissions over compute engine, lets enumerate compute engine to see if theres any interesting information
As our service account name is called automation, lets try and enumerate the automation jumpbox vm.
Within the vm metadata, it contains a credential in plaintext. Lets also add this new password to our existing wordlist.
We are able to then ssh into the automation-jumpbox succesfully.
Enumerating the filesystem, I identify that there is a .config/gcloud folder which contains credentials for another automation account pablo-adm
Lets copy out and bruteforce the permissions on pablo-adm service account.
It seems like pablo-adm has permissions over secretsmanager as well as ability to getIamPolicy.
The clientauthconfig and securityposture/securitycenter are false positive.
We are able to list and get the secrets for WebAdminPassword.
We are also able to get the iam policy of the projects.
Since we have a web admin password, lets try and pivot to the web server with the password.
First lets perform another nmap scan with its public IP address.
Visiting port 8880, we are greeted with another login form. Since we have the password, lets spray the login form with the user list we have but strip of the email. We will also add the new username from the iam enumeration previously to the wordlist.
From the fuzzing output, we have identified a valid user parthaban. Upon authentication, we are given the flag.
Bruteforce automation service account and identify that it has permissions over compute engine
Enumerate compute instances and find plaintext credentials in metadata
SSH into the automation jumpbox and enumerate the filesystem
Dump the pablo-adm service account json
Bruteforce pablo-admin service account permissions
Get WebAdminPassword from secretmanager, as well as user listing from IAM
Nmap the web server public IP to get the open port and services
Fuzz the login form at port 8880 with user list and password from secretmanager
Get the flag from the dashboard after login
NIL
