Skip to content

GCP-Phishing

Scenario

  • Rohit Agarwal recently shared on LinkedIn that he has joined a Managed Security Services Provider (MSSP), which lists Gigantic Retail as a client on its website. As part of our red team engagement for Gigantic Retail, we are targeting this user to gain an initial foothold into their environment via the MSSP.

Objective

  • Use the phishing page (https://aka-accountreview.cloud/) to capture the target user’s credentials. Once obtained, extract the username and password from creds.txt, and attempt to access any sensitive information available through the compromised account.

Solution

  • First, set up SOCKS proxy with a GCP VM, Foxyproxy
  • Create a phishing email send to: Rohit.Agarwal@megabigtech.com Subject - Activity Alert: Review Required 
    Hi Rohit,

We detected an unusual sign-in attempt to your Google Workspace account from a new device. For your security, we recommend you to review this activity.
Please review and verify your account activity following the secure link below:

Review Activity & Unlock Account - https://aka-accountreview.cloud/

If you do not verify within the next 12 hours, your account access may be restricted.

Thank you,
Google Workspace Security Team
  • Using GMAIL did not work, have to use protonmail or something
  • Receive the credentials at aka-accountreview.cloud/creds.txt
  • Activate the SOCKS proxy and FoxyProxy to route the traffic through GCP VM using ssh
  • Sign in to the gcp console and view secrets manager
  • use cyberchef to decode the secrets
    • admin:Password12345