From 82a44ea4c087d189b752745d84edde2e4e2e1476 Mon Sep 17 00:00:00 2001
From: afaq <45089292+afaq1337@users.noreply.github.com>
Date: Mon, 4 Aug 2025 23:56:55 +0500
Subject: [PATCH 1/2] Updated Cognito Identity CLI Command Format

Replaced outdated key=value syntax with JSON-based in "--logins" format, keeping the old format for preserved legacy.
---
 .../cognito-identity-pools.md                 | 38 +++++++++++++------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
index 2b8d27874..7f5fd1845 100644
--- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
+++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md
@@ -167,22 +167,36 @@ For this you might need to have access to the **identity provider**. If that is
 
 Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured).
 
-<pre class="language-bash"><code class="lang-bash">aws cognito-identity get-id \
-    --identity-pool-id <identity_pool_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+<pre class="language-bash"><code class="lang-bash">
+# Updated format
+aws cognito-identity get-id \
+  --identity-pool-id <identity_pool_id> \
+  --logins '{"cognito-idp.<region>.amazonaws.com/<user_pool_id>": "<ID_TOKEN>"}'
 
-# Get the identity_id from the previous commnad response
 aws cognito-identity get-credentials-for-identity \
-    --identity-id <identity_id> \
-    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+  --identity-id <identity_id> \
+  --logins '{"cognito-idp.<region>.amazonaws.com/<user_pool_id>": "<ID_TOKEN>"}'
 
-
-# In the IdToken you can find roles a user has access because of User Pool Groups
-# User the --custom-role-arn to get credentials to a specific role
 aws cognito-identity get-credentials-for-identity \
-    --identity-id <identity_id> \
-<strong>    --custom-role-arn <role_arn> \
-</strong>    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
+  --identity-id <identity_id> \
+  --custom-role-arn <role_arn> \
+  --logins '{"cognito-idp.<region>.amazonaws.com/<user_pool_id>": "<ID_TOKEN>"}'
+</code></pre>
+
+> **Deprecated format** — these may no longer work with current AWS CLI:
+<pre class="language-bash"><code class="lang-bash">
+aws cognito-identity get-id \
+  --identity-pool-id <identity_pool_id> \
+  --logins cognito-idp.<region>.amazonaws.com/<user_pool_id>=<ID_TOKEN>
+
+aws cognito-identity get-credentials-for-identity \
+  --identity-id <identity_id> \
+  --logins cognito-idp.<region>.amazonaws.com/<user_pool_id>=<ID_TOKEN>
+
+aws cognito-identity get-credentials-for-identity \
+  --identity-id <identity_id> \
+  --custom-role-arn <role_arn> \
+  --logins cognito-idp.<region>.amazonaws.com/<user_pool_id>=<ID_TOKEN>
 </code></pre>
 
 > [!WARNING]

From 15bde67918a174391ad65e98a21bb9f92c57d85e Mon Sep 17 00:00:00 2001
From: Tsubasa Irisawa <lambdasawa@gmail.com>
Date: Thu, 14 Aug 2025 22:19:54 +0900
Subject: [PATCH 2/2] Add GCP Cloud Tasks privesc page

---
 src/SUMMARY.md                                |  1 +
 .../gcp-cloudtasks-privesc.md                 | 51 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 66a6a8fd8..7e7cc6609 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -107,6 +107,7 @@
     - [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md)
     - [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md)
     - [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md)
+    - [GCP - Cloud Tasks Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md)
     - [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md)
       - [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md)
     - [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md)
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md
new file mode 100644
index 000000000..65bb00f10
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md
@@ -0,0 +1,51 @@
+# GCP - Cloud Tasks Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Tasks
+
+### `cloudtasks.tasks.create`, `iam.serviceAccounts.actAs`
+
+An attacker with these permissions can **impersonate other service accounts** by creating tasks that execute with the specified service account's identity. This allows sending **authenticated HTTP requests to IAM-protected Cloud Run or Cloud Functions** services.
+
+```bash
+gcloud tasks create-http-task \
+  task-$(date '+%Y%m%d%H%M%S') \
+  --location us-central1 \
+  --queue <queue_name> \
+  --url 'https://<service_name>.us-central1.run.app' \
+  --method POST \
+  --header 'X-Hello: world' \
+  --body-content '{"hello":"world"}' \
+  --oidc-service-account-email <account>@<project_id>.iam.gserviceaccount.com
+```
+
+### `cloudtasks.tasks.run`, `cloudtasks.tasks.list`
+
+An attacker with these permissions can **run existing scheduled tasks** without having permissions on the service account associated with the task. This allows executing tasks that were previously created with higher privileged service accounts.
+
+```bash
+gcloud tasks run projects/<project_id>/locations/us-central1/queues/<queue_name>/tasks/<task_id>
+```
+
+The principal executing this command **doesn't need `iam.serviceAccounts.actAs` permission** on the task's service account. However, this only allows running existing tasks - it doesn't grant the ability to create or modify tasks.
+
+### `cloudtasks.queues.setIamPolicy`
+
+An attacker with this permission can **grant themselves or other principals Cloud Tasks roles** on specific queues, potentially escalating to `roles/cloudtasks.admin` which includes the ability to create and run tasks.
+
+```bash
+gcloud tasks queues add-iam-policy-binding \
+  <queue_name> \
+  --location us-central1 \
+  --member serviceAccount:<account>@<project_id>.iam.gserviceaccount.com \
+  --role roles/cloudtasks.admin
+```
+
+This allows the attacker to grant full Cloud Tasks admin permissions on the queue to any service account they control.
+
+## References
+
+- [Google Cloud Tasks Documentation](https://cloud.google.com/tasks/docs)
+
+{{#include ../../../banners/hacktricks-training.md}}