misCloud is a HackTheBox challenge designed to simulate a breach on a company’s Google Cloud Platform (GCP) infrastructure.
The write-up details each task with comprehensive commands and explains how each question is answered;.
It utilizes a variety of tools, including Wireshark, tshark, and jq, to analyze network traffic and GCP logs to identify patterns and anomalies, such as the Windows machine’s internal IP address, the CVE exploited by the threat actor, the hostname and port number to which the reverse shell connected, and the instances the threat actor logged into.
For investigating the sensitive file, encryption key, and decrypting the encrypted file, it leverages Wireshark and a Python script exported over the network, reviewing the sensitive file, obtaining the encryption key, and decrypting the file to reveal the social security numbers and credit card numbers of “Founder John”.
Furthermore, to reinforce learning, the write-up provides additional information and best practices related to GCP security, such as recommending against using the Default Compute Engine Service Account on VM instances and advising to restrict GCP permissions and access.