WRITE UP – GOOGLE BUG BOUNTY: XSS to Cloud Shell instance takeover (RCE as root) – $5,000 USD

Hi everyone It’s been a while from my last post (1 year w00t!) but I’m back, I want to tell you a short story about one of my last bug bounties, and how I escalated a simple XSS to a full Google Cloud Shell instance take over as a full administrator (RCE as root)

Extracted from Google VRP’s report:

Summary: Google cloud shell instance take over (as root)

Steps to reproduce:

1.- Setup an SSL server that you own in any port, I will use ngrok + nc combo over port 55555

2.- Visit https://github.com/omespino/gcs_instace_takeover and click open in Google Cloud Shell

3.- Wait to load everything and then click the preview button for the .md files (you need to set up the attacker server that you own before de preview)

4.- Receive 2 google vm’s files: ‘/etc/hosts’ and the private key ‘../id_cloudshell’ (scape the container with ‘../’ )
        4.1: for the private key you need to replace \n for jumplines and save it as ‘id_cloudshell’
        4.2: the hostname is “cs-6000-devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX”, we delete the cs-6000 part and append .cloudshell.dev, getting something like this devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev

5.- login as root on ssh over port 6000
        ‘ssh -i id_cloudshell -p 6000 root@devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev

6.- w00t!!! now you are r00t! on that google cloudshell instance

Feb 6, 2020: Sent the report to Google VRP
Feb 6, 2020: Got a message from google that the bug was triaged
Feb 14, 2020: Nice Catch! Bug Accepted (P2)
Feb 20, 2020: $5,000 bounty awarded
Mar 18, 2020: Fixed by Google

Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comment or suggestion just drop me a line here or on twitter @omespino, read you later.

Leave a Reply

Your email address will not be published.