Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- First, the author wanted to do some reconnaissance on how the Google Cloud Deployment process worked. I really appreciate how he goes through all of his attempts, not just the successful ones.
- The Cloud Deployment had a two main versions: beta and betav2. Besides these two documented methods were two undocumented methods, alpha and dogfood. The dogfood version had some added functionality.
- After gaining control over one of these internal fields, he tried several requests. Eventually, he was able to get authorization headers from some internal services.
- Another interesting point that is he had plenty of communication with several Google employees during this process, allowing him to have a better idea of how things worked.
- Through internal employees he learned the following: "If service A makes a request with service B on behalf of user C, the authorization of user C is checked. If there are no credentials for C, then the authorization of A is checked instead.".
- Because of the previous note, he removed the credentials from the request to use the authorization from cloud-dm-staging@prod.google.com.
- Interesting takeaway:
- Recon is very, very helpful! With an incredibly large and interconnected system (such as Google), there is an even larger attack surface.
- Having internals buddies can be helpful for understanding the ecosystem.
- Undocumented versions tend to have added functionality. Always look for this!
