Bug Bounty - 404 Not Found to Google cloud service account credentials disclosure!

Mohan Kumar N
3 min read6 days ago

--

Hi H4ckers, While scrolling through LinkedIn posts, I got a target to hunt and their reward is coupons ( 3.5k INR, IYKYK ) using which we can buy their own products. This is a very short and quick write-up on how I got access to their google Cloud service account credentials. Letss go..

Since this is a wide scope target, I ran my recon script to collect subdomains from all possible sources. One of the best thing I did is configuring amass with APIs of different data sources. By default, Amass scrapes subdomains only from general data sources which is done by most of the hunters and you wont find any unique subdomains. So I highly suggest you to configure your Amass config file with APIs.

How to use Amass More effectively https://medium.com/@tucuong97/guide-to-amass-how-to-use-amass-more-effectively-for-analyst-domain-a6c430046946

After enumerating subdomains, I will manually visit the domains using BULK URL OPENER EXTENSION or I use gowitness tool which screenshots all the domains and saves it as png. While doing this, I encountered many 404 and 200 response domains. Honestly whenever I come across 404 domains, I will never consider them and I will just skip. But this time a particular 404 subdomain made me stop there — By looking at the subdomain name, I assumed it to be an internal one. So I decided to directory brute force on this using gobuster as I have heard people telling that they found sensitive info on a 404 domains.

From gobuster scan results, I got an interesting endpoint /credentials.json . Immediately I fired up burp and viewed the response. I found many details such as :

"project_id": "...",
"private_key_id": "...",
"private_key": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY--\n",
"client_email": "...",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",

I know these are sensitive credentials of some sort of thing, but I dont know what it is, I need to validate them before reporting. There is an excellent github repo called KEYHACKS https://github.com/streaak/keyhacks#Google-Cloud-Service-Account-credentials, which can be used whenever you encounter API keys or these kind of sensitive creds. Fortunately I found, that these are the credentials for accessing Google Cloud Service account as shown below:

Keys Hacks — GCloud service account cred

Key-hacks also guides on how to validate the obtained credentials as shown below :

GCloud service account — validation steps

A service account is a special kind of account typically used by an application or compute workload, rather than a person. Applications use service accounts to make authorized API calls by authenticating as the service account . By following the above said process in key hacks, I have installed gcloud CLI tool, and using the commands mentioned, I was able to fetch the access-token. But using the generated access token I was not able to access any sensitive data . I tried to some extent to access the resources , but everything failed. I reported this, as I was able to generate the access token using the credentials obtained from /credentials.json .

Takeaway : Dont ignore 404 Not Found subdomains, as they might contain sensitive infos within their directories. Also when you get any sensitive tokens, APIs try to validate them using key-hacks(github repo) which will help you increase the severity if you are able to do something critical with the tokens/API.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Timeline :

Reported : March 2023

Fixed : June 2023

Reward: 3.5k INR Coupon

If you found the write-up insightful, feel free to share it !

Thanks for reading, and see you soon for a new adventure.

Contact :

LinkedIn : https://www.linkedin.com/in/mohankumar007/

--

--