Tunnel Through GCP via JWT Forgery

This fun intermediate-level lab walks through compromising a vulnerable web application to gain code execution on the host, harvest cloud credentials, pivot via over-privileged roles, and exfiltrate sensitive data from managed services in GCP.

Our SOC team just raised the alarm that one of our internal tools has accidentally been exposed to the public! The company has recently completed the "lift and shift" of their workflows and data to GCP, where it is secure by default... However, recent logs from an accidently exposed internal web app show some suspicious activity that needs to be investigated. As the company's red team lead, your mission is to establish if this oversight could have allowed a threat actor to gain access to the GCP environment, and if so, what they would be have been able to access.

• Familiarity with web exploitation
• Familiarity with Google Cloud
• Familiarity with the CLI

• Abuse weak JWT handling to escalate from user to admin
• Harvest GCE service account tokens from the instance metadata service
• Use a leaked service account token found in-app to enumerate cloud resources
• Abuse privileges to edit Compute Engine instance metadata
• SSH tunneling to access internal resources
• Escape a restricted shell environment
• Use Service Account Token Creator privileges to move laterally
• Enumerate Cloud SQL instances; recover improperly stored credentials
• Enumerate Artifact Registry and Secret Manager to gain situational awareness

The lab mirrors a real-world chain where a single web vulnerability leads in cloud compromise via weak authentication and authorization, RCE, metadata token harvesting, IAM privilege escalation, and data access in managed services.