Level 2
The attacker acquired the source code for the api-engine somehow, as well as the compute-admin service account. Investigate how the attacker accomplished this, and fix any obvious security issues along the way.
Hint 1
Referring to the diagram, we know there is an vm-image-bucket that holds the source files for building the image used by the api-engine. This is the most likely place the attacker could find the source code, so let’s use the Logs Explorer to investigate the bucket.
Query for
vm-image-bucketHint 2
The logs show that multiple files were requested from the bucket by the dev-account service account. Among these files is the source code for the api-engine, and a file called compute-admin.json. It would seem that in an effort to make their lives easier, the developers kept all the tools they would need to update the api-engine within this bucket.
Hint 3
The compute-admin service account key being stored in this bucket is an obvious issue as it allows anyone with access to the bucket to elevate their privilege to compute admin. Let’s disable this key since it has been compromised, and shouldn’t be stored in this bucket in the first place.
Hint 4
We should be able to delete a service account key using the Google Cloud GUI, but it sometimes bugs out and cannot be used. So instead, use a gcloud command from the terminal to delete the key. First, list the keys for the compute-admin account.
gcloud iam service-accounts keys list \--iam-account compute-admin@[project-id].iam.gserviceaccount.com
There should be two keys listed, one of which expires in two years, and one which expires in the year 9999, which is the default when a key is generated. The first key is used by Google’s backend and cannot be deleted, but the second is the key being stored in the vm-image-bucket. To delete it enter the gcloud command:
gcloud iam service-accounts keys delete [key-id] \--iam-account compute-admin@[project-id].iam.gserviceaccount.com
Hint 5
Finally, we should remove the json file from the bucket to clean it up. Using the console GUI search for buckets and navigate to the vm-image-bucket. Since we are using a system account, we can view the files in the bucket. Select the compute-admin.json file and remove it from the bucket. The true final step would be to advise the company to have developers request an access key or other temporary key from a system admin(or some similar alternative) when they need to make changes to the api-engine, but as this is a fictitious system, we don’t need to do so for this exercise.
Hint 6
This is the end of level 2. We found that the attacker used a developer service account to download the api-engine source code and compute-admin private key from a bucket, the latter of which we removed from the bucket and deleted from the system.