Hey folks!
Here's some notes that I use when validating some GCP service accounts and looking for SSRFs.
How to authenticate in a service account using the GCP CLI
gcloud auth activate-service-account 1234567-compute@developer.gserviceaccount.com --key-file=pathtofile.json --project=project_name The e-mail address you will copy from the json file, also the key file you will point to where the file it's saved, and the project name you also can get in the file.
List of some commands
#List SSL certificates gcloud compute ssl-certificates list #List compute engine image disks gcloud compute images list #List compute engine instances gcloud compute instances list #List buckets gcloud storage ls #List buckets using gsutil gsutil ls #List containers gcloud container images list #List clusters gcloud container clusters list #List firewall rules gcloud compute firewall-rules list Achieving SSRFs in Axios
When attempting to achieve SSRF in a GCP environment, it's mandatory to have a 'Metada-Flavor: Google' header to your request.
In Axios, you can add headers to your request by default, you just need to create an object in the request body and it's done.
Top comments (0)