A hitchhiker's guide to a Google Cloud CTF

⚠️ This repository contains only the hints and instructions for the challenge.⚠️

⚠️ For the full Terraform setup and solutions - visit this repository ⚠️

Your Goal

Your goal of this CTF is to exploit a vulnerable GCP project and find up to 5 flags. During the challenge you will be able to move through the environment and step by step escalate your privileges until you manage the IAM bindings on the project, essentially allowing you to gain control of all resources in the project. (In our CTF workshop setup, we have to keep you in check a bit and you will only be able to manage specific IAM bindings.)

Prerequisites

To play this CTF and participate in our workshop you will need:

• A notebook and an internet connection
• A Google account. Any Google account such as your-throwaway@gmail.com is enough. It does not have to be a Google Cloud account.
• The gcloud command line utility installed on your computer.

Your starting point

The cloud services in the project might be misconfigured or leak information that can be useful for you as an attacker. You'll start out with just an IP address as your first piece of information.

Note

IP address to start with: 34.23.127.178

We are providing you with useful hints and commands for each challenge. Don't hesitate to use them, as you will have limited time for this CTF during our workshop.

Challenges

• Challenge 1
• Challenge 2
• Challenge 3
• Challenge 4
• Bonus Challenge 5