Exploit SSRF with Gopher for GCP Initial Access

The beginner-friendly and fun web exploitation lab shows how the impact of an SSRF (Server-Side Request Forgery) vulnerability can be much more severe when virtual machine instance metadata is available. We'll also see how a protection against SSRF vulnerabilities can be bypassed if the gopher protocol is supported.

"You have recently joined a red team and are on an engagement for the client Gigantic Retail. In scope is their on-premise and cloud environments. As the cloud specialist you are called upon to get initial access to their infrastructure, starting with an identified IP address.
"

• Basic Linux command line knowledge

• Exploit an SSRF vulnerability using Burp
• Bypass a measure that protects against SSRF by leveraging Gopher
• Enumerate Google Cloud resources using cURL

SSRF vulnerabilities are common and come in at number 10 on the OWASP Top 10 (2021) list. Adoption of cloud services and hybrid cloud architectures are also rapidly increasing, but often there isn't an awareness of the security implications of this new type of infrastructure. This lab also features gopher in bypassing a protection against SSRF vulnerabilities, and while gopher is an old protocol that has largely been supplanted, some libraries still provide support for it by default. This also highlights the importance of understanding the protocols that are supported by default in the various libraries that are used.