Hack The Box BlackSky Cloud Hacking Labs – Blizzard

In this post we present Blizzard, the BlackSky Cloud Hacking Lab scenario for Google Cloud Platform by Hack The Box and our review of it.

Y-Security recently collaborated with Hack The Box and took the challenge of reviewing their BlackSky Cloud Hacking Labs. The main focus of the review was testing the created challenges and presented attack path against Y-Security’s experience of real-life attacks in cloud environments.

Overview of BlackSky Cloud Labs

The BlackSky Cloud Hacking Labs are separated into individual scenarios distributed within the environment of the most common cloud provider, namely Amazon Web Services, Google Cloud Platform and Microsoft Azure. Each of the environments contains a unique scenario and attack path to reach the goal of the assessment by chaining common cloud related vulnerabilities and misconfigurations.

BlackSky provides dedicated scenarios, allowing you to practice different attack techniques and exploitation of common vulnerabilities, in order to understand how cloud platforms can be compromised.

Hack The Box

Blizzard: Google Cloud Platform (GCP)

In the below section we give some feedback and insights into the Blizzard: Google Cloud Platform (GCP) scenario and our experience with realistic vulnerabilities in GCP infrastructures. Y-Security followed its detailed Cloud Penetration Testing methodology while solving the Cloud Hacking Lab.

Scope of Blizzard

The Blizzard: Google Cloud Platforms (GCP) scenario aims at the below resources, which are also likely to be found in a real cloud project. Additionally Hack The Box promoted the scenario with the below attack techniques/outcome:

Blizzard

Resources

  • GCP credentials
  • Google App Engine
  • Google Cloud Storage
  • Google Compute Engine Metadata
  • Google Container Registry
  • IAM vectors
  • Kubernetes
  • Policies
  • Source code review
  • Web / DevOps vectors

Promoted Outcome

  • GCP enumeration
  • Exploitation of serverless applications
  • Exploiting misconfigurations
  • Lateral movement
  • Local privilege escalation
  • Mitigations and best practices
  • Situational awareness
  • Web application and API exploitation

Tips & Tricks

Attacking Cloud environments requires a deep logical understanding of used components and how they interact with each other. Unfortunately, there is no tool that solves all problems in a cloud assessment as the tools mostly depend on specific access rights to execute properly or the tools brute-force access rights by observing responses to commands. The tooling in the GCP hasn’t been seen as matured as the tooling for AWS and Azure.

The following contains some references and tools used in the above scenario:

  • gcloud & gsutil: is the official Google Toolkit for API access through the CLI.
  • kubectl: is a command line tool that implements kubelet’s API.
  • docker: Containerization solution and tools.
  • linPEAS: is a script that searches for possible paths to escalate privileges on Linux hosts.
  • Scout Suite: Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
  • Cloudsploit: allows detection of security risks in cloud infrastructure accounts.
  • Hacktricks Cloud GCP Pentesting: Collection of GCP attack vectors and methodologies.

The lab

The scenario started with a description of the target, an externally available IP-address and a list of flag names that could be found during the assessment to prove progress.

“Mega Multinational” is a global leader in the Freight Logistics industry. They are not cloud native, but are looking to transition more infrastructure to the cloud, in order to mitigate the perceived risks of hosting their own infrastructure. They have enlisted your services to perform an assessment of their cloud infrastructure, using the external IP address.

Hack The Box

The lab consisted out of 9 resources for which 15 flags were provided.

Attack path

The challenges for the GCP scenario provide insights into typical attack patterns that Y-Security sees in their Penetration Tests. However, artifacts of the vulnerabilities are typically found and exploited within our Red Teams too.

To benchmark Y-Security solutions and the Hack The Box challenges, we have followed our Cloud Penetration Testing methodology during the assessment which aligns and completes common methodologies and frameworks in particular the OWASP Web Security Testing Guide, the BSI Leitfaden IT-Sicherheits-Penetrationstest, applicable CIS Benchmarks, the MITRE ATT&CK® Framework and Cloud Provider specific security best practice guidelines.

We do not want to provide too many insights into the challenge solutions here. However, some general advice can be given for the GCP scenarios. Identically to a typical penetration test one of the main objectives is to identify new attack paths based on new credentials received. Whenever a challenge is solved, we can typically hunt for new credentials in common files or environments and replay them against the cloud infrastructure to understand potential new attack paths that might become available.

Therefore, note taking becomes crucial and when you get stuck within a challenge, it is usually worthwhile to simply reuse known Tools with the different credentials received.

During our attack path, we’ve focused on manual attacks mostly. For the initial attack vector discovery the provider tools from Google are the first choice. However, once the target is mapping out more specialist tools become handy and required to solve the challenges we have faced.

Conclusion

The BlackSky Cloud Hacking Labs – Blizzard scenario and vulnerabilities are a realistic scenario that could even exist as part of a real organizations network. I would recommend the training for everyone doing Penetration Testing or Red Teaming with a focus on GCP and DevOps environments.

It should be noted, that a good chunk of the challenges were using typical DevOps frameworks and services. Even if those are not directly cloud native, they have matched perfectly into the scenario described by Hack The Box.

We followed our detailed Cloud Penetration Testing methodology while solving the lab. Even though not all checks of our methodology were demonstrated in a vulnerability, it still showed that the most common and even some niche vulnerabilities can be found and exploited in the scenario.

I have really enjoyed the BlackSky Cloud Hacking Labs – Blizzard scenario and I can 100% recommend it to every Penetration Tester who wants to step into Cloud Security testing and skipping the typical audit style of other cloud review training. In addition the typical DevOps services provides a good relation to what we’re facing in our practical experience when performing Penetration Tests and Red Teams.

Sven

Further Reading

We would like to thank Hack The Box for providing us with access to have a deep dive into their professional offerings and benchmarking our cloud testing methodology against those sophisticated playbook exercises.

Author

Sven Schlüter
sven@y-security.de
Y-Security GmbH
28. February 2023