Hacking Google Cloud?
Every year Google celebrates the best security issues found in Google Cloud. This year we take a look at the 7 winners to see if we could have found these issues too. Will I regret not having hacked Google last year?
This video is sponsored by Google VRP:
Follow GoogleVRP Twitter: https://twitter.com/GoogleVRP
The GCP Prize Winners of 2022:
https://security.googleblog.com/2023/06/google-cloud-awards-313337-in-2022-vrp.html
1. Prize - $133,337: Yuval Avrahami https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/
2. Prize - $73,331: Sivanesh Ashok and Sreeram KL https://blog.stazot.com/ssh-key-injection-google-cloud/
3. Prize - $31,337: Sivanesh Ashok and Sreeram KL https://blog.stazot.com/auth-bypass-in-google-cloud-workstations/
4. Prize - $31,311: Sreeram KL and Sivanesh Ashok https://blog.geekycat.in/client-side-ssrf-to-google-cloud-project-takeover/
5. Prize - $17,311: Yuval Avrahami and Shaul Ben Hai https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms Talk: https://www.youtube.com/watch?v=PGsJ4QTlKlQ
6. Prize - $13,373: Obmi https://obmiblog.blogspot.com/2022/12/gcp-2022-few-bugs-in-google-cloud-shell.html
7. Prize - $13,337: Bugra Eskici https://bugra.ninja/posts/cloudshell-command-injection/
Previous Winners:
GPC Prize 2019: https://www.youtube.com/watch?v=J2icGMocQds
GPC Prize 2020: https://www.youtube.com/watch?v=g-JgA1hvJzA
GPC Prize 2021: https://www.youtube.com/watch?v=GvO2Xtx8p9w
Chapters:
00:00 - Intro
01:28 - Python Command Injection (Prize 7)
03:01 - XSS, CSRF and NEL Backdoor (Prize 6)
07:04 - Excessive Permissions in k8s DaemonSets (Prize 5)
09:13 - SSRF auth Authorization Token (Prize 4)
10:46 - OAuth Issue (Prize 3)
12:07 - SSH authorized_key Injection (Prize 2)
14:45 - Kubernetes Engine Privilege Escalation (Prize 1)
18:11 - Discussing the Winner
19:25 - What did I learn from the GCP 2022?
20:51 - Outro
=[ ❤️ Support ]=
Get my handwritten font https://shop.liveoverflow.com (advertisement)
Checkout our courses on https://hextree.io (advertisement)
Support these videos: https://liveoverflow.com/support/
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
2nd Channel: https://www.youtube.com/LiveUnderflow
=[ 🐕 Social ]=
→ Twitter: https://twitter.com/LiveOverflow/
→ Streaming: https://twitch.tvLiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
Видео Hacking Google Cloud? канала LiveOverflow
This video is sponsored by Google VRP:
Follow GoogleVRP Twitter: https://twitter.com/GoogleVRP
The GCP Prize Winners of 2022:
https://security.googleblog.com/2023/06/google-cloud-awards-313337-in-2022-vrp.html
1. Prize - $133,337: Yuval Avrahami https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/
2. Prize - $73,331: Sivanesh Ashok and Sreeram KL https://blog.stazot.com/ssh-key-injection-google-cloud/
3. Prize - $31,337: Sivanesh Ashok and Sreeram KL https://blog.stazot.com/auth-bypass-in-google-cloud-workstations/
4. Prize - $31,311: Sreeram KL and Sivanesh Ashok https://blog.geekycat.in/client-side-ssrf-to-google-cloud-project-takeover/
5. Prize - $17,311: Yuval Avrahami and Shaul Ben Hai https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms Talk: https://www.youtube.com/watch?v=PGsJ4QTlKlQ
6. Prize - $13,373: Obmi https://obmiblog.blogspot.com/2022/12/gcp-2022-few-bugs-in-google-cloud-shell.html
7. Prize - $13,337: Bugra Eskici https://bugra.ninja/posts/cloudshell-command-injection/
Previous Winners:
GPC Prize 2019: https://www.youtube.com/watch?v=J2icGMocQds
GPC Prize 2020: https://www.youtube.com/watch?v=g-JgA1hvJzA
GPC Prize 2021: https://www.youtube.com/watch?v=GvO2Xtx8p9w
Chapters:
00:00 - Intro
01:28 - Python Command Injection (Prize 7)
03:01 - XSS, CSRF and NEL Backdoor (Prize 6)
07:04 - Excessive Permissions in k8s DaemonSets (Prize 5)
09:13 - SSRF auth Authorization Token (Prize 4)
10:46 - OAuth Issue (Prize 3)
12:07 - SSH authorized_key Injection (Prize 2)
14:45 - Kubernetes Engine Privilege Escalation (Prize 1)
18:11 - Discussing the Winner
19:25 - What did I learn from the GCP 2022?
20:51 - Outro
=[ ❤️ Support ]=
Get my handwritten font https://shop.liveoverflow.com (advertisement)
Checkout our courses on https://hextree.io (advertisement)
Support these videos: https://liveoverflow.com/support/
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
2nd Channel: https://www.youtube.com/LiveUnderflow
=[ 🐕 Social ]=
→ Twitter: https://twitter.com/LiveOverflow/
→ Streaming: https://twitch.tvLiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
Видео Hacking Google Cloud? канала LiveOverflow
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
riscure embedded hardware CTF is over - loopback 0x03Live Hacking - Internetwache CTF 2016 - web50, web60, web80LiveOverflow Channel Trailerformat2 on a modern Ubuntu - bin 0x26Deepdive Containers - Kernel Sources and nsenterWhat is a Protocol? (Deepdive)Riscure Embedded Hardware CTF setup and introduction - rhme2 SolderingTCP Protocol introduction - bin 0x1AXSS on the Wrong Domain T_T - Tech Support (web) Google CTF 2020Finding 0day in Apache APISIX During CTF (CVE-2022-24112)File Path Race Condition & How To Prevent It - bin 0x31VPNs, Proxies and Secure Tunnels Explained (Deepdive)Exploit Fails? Debug Your Shellcode - bin 0x2BNew to Linux? Need Help Understanding Shell Commands?HACKERSPACES ARE AWESOME!Fuzzing Browsers for weird XSS VectorsUnderstanding C Pointer Magic Arithmetic | Ep. 07Solving Pwnable CTF Challenge With Docker WorkflowThe fakeobj() Primitive: Turning an Address Leak into a Memory CorruptionThe HTTP Protocol: GET /test.html - web 0x01What is a Browser Security Sandbox?! (Learn to Hack Firefox)