Bug Bounty - 403 Forbidden to Google cloud service account credentials disclosure!
Hi H4ckers, While scrolling through LinkedIn posts, I got a target to hunt and their reward is coupons ( 3.5k INR, IYKYK ) using which we can buy their own products. This is a very short and quick write-up on how I got access to their google Cloud service account credentials. Letss go..
Since this is a wide scope target, I ran my recon script to collect subdomains from all possible sources. One of the best thing I did is configuring amass with APIs of different data sources. By default, Amass scrapes subdomains only from general data sources which is done by most of the hunters and you wont find any unique subdomains. So I highly suggest you to configure your Amass config file with APIs.
How to use Amass More effectively https://medium.com/@tucuong97/guide-to-amass-how-to-use-amass-more-effectively-for-analyst-domain-a6c430046946
After enumerating subdomains, I will manually visit the domains using BULK URL OPENER EXTENSION or I use gowitness tool which screenshots all the domains and saves it as png. While doing this, I encountered many 404, 403 and 200 response domains. Honestly whenever I come across 403 domains,I try for bypasses or I will never consider them and I will just skip. But this time a particular 403 subdomain made me stop there — By looking at the subdomain name, I assumed it to be an internal one. So I decided to directory brute force on this using gobuster .
From gobuster scan results, I got an interesting endpoint /credentials.json . Immediately I fired up burp and viewed the response. I found many details such as :
"project_id": "...",
"private_key_id": "...",
"private_key": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY--\n",
"client_email": "...",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
I know these are sensitive credentials of some sort of thing, but I dont know what it is, I need to validate them before reporting. There is an excellent github repo called KEYHACKS https://github.com/streaak/keyhacks#Google-Cloud-Service-Account-credentials, which can be used whenever you encounter API keys or these kind of sensitive creds. Fortunately I found, that these are the credentials for accessing Google Cloud Service account as shown below:
Key-hacks also guides on how to validate the obtained credentials as shown below :
A service account is a special kind of account typically used by an application or compute workload, rather than a person. Applications use service accounts to make authorized API calls by authenticating as the service account . By following the above said process in key hacks, I have installed gcloud CLI tool, and using the commands mentioned, I was able to fetch the access-token. But using the generated access token I was not able to access any sensitive data . I tried to some extent to access the resources , but everything failed. I reported this, as I was able to generate the access token using the credentials obtained from /credentials.json .
Takeaway : Don’t ignore 404/403 subdomains, as they might contain sensitive infos within their directories. Also when you get any sensitive tokens, APIs try to validate them using key-hacks(github repo) which will help you increase the severity if you are able to do something critical with the tokens/API.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Timeline :
Reported : March 2023
Fixed : June 2023
Reward: 3.5k INR Coupon
If you found the write-up insightful, feel free to share it !
Thanks for reading, and see you soon for a new adventure.
Contact :
LinkedIn : https://www.linkedin.com/in/mohankumar007/
