Detailed Outline

Cloud Shell in a glimpse

A cloud shell is a web-based command-line interface (CLI) provided by cloud computing platforms. Its main purpose is to enable users to manage cloud resources directly from their web browser without requiring any local software installation. Every GCP user has access to Cloud Shell by default and for free, promoted by the vendor.

1. What is a Cloud Shell
2. Features and Constraints

Recon against the Cloud Shell instance

1. Infra and Network env.

   The recon tells us that the GCP Cloud Shell instance is running in a containerized environment with a certain degree of disk persistence to store user data. Root privilege is not always available from different service providers, such as the sudo command is not allowed in Azure’s Cloud Shell. Unrestricted egress traffic and no ingress traffic is common practice among service provides

2. Open ports

   With GCP Cloud Shell’s Web Preview feature, the web content could be served through a redirector with TLS certs populated, which is quite convenient for developers. But why are there two open ports found in our Nmap scan and one (6000/tcp) of them could be mapped to the container's port 922/tcp that runs SSHd? Some least privilege principle seems not well applied here. Furthermore, is it necessary for the SSHd inside the container to be exposed to the public Internet?

Granular packet flow control

1. Packet flow in Linux Netfilter

   This is a packet flow diagram from Linux’s Netfilter perspective. The PREROUTING chain in the NAT table sits at a very early stage of the flow.

2. Mess with the PREROUTING Chain

   By inserting extra iptables rules into the said chain, we could redirect the traffic destined to the external port 6000/tcp, which is the internal port 922/tcp in the container, to whatever internal ports we like. Our new firewall policy could allow clients connecting from different sources or CIDRs to access different services all through the single port 6000/tcp.

Demo (recorded video playback)

The video length is around 3 minutes, demonstrating the following:

• 00:00 - Google GCP Cloud Shell provisioning, with start-script installing dante-server and nginx, then running them on port 1080 and 8080 respectively
• 00:07 - Check SOCKS (danted) and Web (nginx) services running on port 1080 and 8080 respectively
• 00:20 - Configure CIDRs for SSH and SOCKS clients
• 00:54 - Apply and show the new firewall rules
• 01:07 - Show the home page of the web service running on port 8080
• 01:24 - Web Preview on port 8080 shows the same web content as expected
• 01:38 - Google authentication is required to access the URL from the Web Preview
• 02:02 - Google authentication bypass to access the web content via Cloud Shell's port 6000
• 02:38 - SOCKS5 service is accessed from a client defined in CIDR_SOCKS over Cloud Shell's port 6000
• 02:54 - SSH service is accessed from a client defined in CIDR_SSH over Cloud Shell's port 6000

Impacts

1. Security degradation with Web Preview and Google auth bypass

   The Web Preview that requires Google authentication could be bypassed by visiting the Cloud Shell’s port 6000/tcp directly. Adversaries could take advantage of this for malware distribution or data exfiltration.
   - Malware distribution
   - Data exfiltration

2. Arbitrary service access in the Cloud Shell container

   Root privilege allows us to redirect traffic destined to Cloud Shell’s port 6000/tcp to any services. Impacts may vary depending on the service exposed. Proxy-based service like SOCKS allows adversaries to bypass geographical or IP based access control or to conduct indirect C2 communication for more stealthy attack chains.
   - Access restriction bypass
   - Indirect access to C2 server infrastructure

Mitigation and Takeaways

1. TOTP-based 2FA is phishable

   With various phishing toolkits available worldwide, certain MITM-based tools like Evilginx can capture credentials or tokens during authentication, even when a time-based one-time password authenticator is used. Once the authentication token has been captured, adversaries gain unauthorized access to a user's account or session, putting your cloud resources at their disposal. In addition to raising user security awareness, using hardware security keys would also increase resistance to phishing attacks.

2. More restricted access to current exposed open ports

   From Google’s standpoint, the container’s SSHd access could restricted to those from the Cloud Shell WebUI, without exposing it to the Internet

3. Least privilege principle

   It’s always a good idea to review whether users’ permissions are overly granted. In the worst-case scenario, if compromise is inevitable, we’d like to keep lateral damage to a minimum.