# GCP Pentesting {{#include ../../banners/hacktricks-training.md}} ## Basic Information **Before start pentesting** a **GCP** environment, there are a few **basics things you need to know** about how it works to help you understand what you need to do, how to find misconfigurations and how to exploit them. Concepts such as **organization** hierarchy, **permissions** and other basic concepts are explained in: {{#ref}} gcp-basic-information/ {{#endref}} ## Labs to learn - [https://gcpgoat.joshuajebaraj.com/](https://gcpgoat.joshuajebaraj.com/) - [https://github.com/ine-labs/GCPGoat](https://github.com/ine-labs/GCPGoat) - [https://github.com/lacioffi/GCP-pentest-lab/](https://github.com/lacioffi/GCP-pentest-lab/) - [https://github.com/carlospolop/gcp_privesc_scripts](https://github.com/carlospolop/gcp_privesc_scripts) ## GCP Pentester/Red Team Methodology In order to audit a GCP environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal GCP services an **external services** connected. From a Red Team point of view, the **first step to compromise a GCP environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that: - **Leaks** in github (or similar) - OSINT - **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/index.html)) - **Password** reuse (password leaks) - Vulnerabilities in GCP-Hosted Applications - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** - `/home/USERNAME/.config/gcloud/*` - `C:\Users\USERNAME\.config\gcloud\*` - 3rd parties **breached** - **Internal** Employee Or by **compromising an unauthenticated service** exposed: {{#ref}} gcp-unauthenticated-enum-and-access/ {{#endref}} Or if you are doing a **review** you could just **ask for credentials** with these roles: {{#ref}} gcp-permissions-for-a-pentest.md {{#endref}} > [!NOTE] > After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration: ## Basic Enumeration ### **SSRF** For more information about how to **enumerate GCP metadata** check the following hacktricks page: {{#ref}} https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Whoami In GCP you can try several options to try to guess who you are: ```bash #If you are inside a compromise machine gcloud auth list curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo gcloud auth print-identity-token #Get info from the token #If you compromised a metadata token or somehow found an OAuth token curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=" https://www.googleapis.com/oauth2/v1/tokeninfo ``` You can also use the API endpoint `/userinfo` to get more info about the user: ```bash curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth $(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/userinfo curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth " https://www.googleapis.com/oauth2/v1/userinfo ``` ### Org Enumeration ```bash # Get organizations gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID gcloud resource-manager folders list --organization # Get folders gcloud projects list # Get projects ``` ### Principals & IAM Enumeration If you have enough permissions, **checking the privileges of each entity inside the GCP account** will help you understand what you and other identities can do and how to **escalate privileges**. If you don't have enough permissions to enumerate IAM, you can **steal brute-force them** to figure them out.\ Check **how to do the numeration and brute-forcing** in: {{#ref}} gcp-services/gcp-iam-and-org-policies-enum.md {{#endref}} > [!NOTE] > Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\ > In the following section you can check some ways to **enumerate some common services.** ## Services Enumeration GCP has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets, how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them: {{#ref}} gcp-services/ {{#endref}} Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](#automatic-tools). Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them: {{#ref}} gcp-unauthenticated-enum-and-access/ {{#endref}} ## Privilege Escalation, Post Exploitation & Persistence The most common way once you have obtained some cloud credentials or have compromised some service running inside a cloud is to **abuse misconfigured privileges** the compromised account may have. So, the first thing you should do is to enumerate your privileges. Moreover, during this enumeration, remember that **permissions can be set at the highest level of "Organization"** as well. {{#ref}} gcp-privilege-escalation/ {{#endref}} {{#ref}} gcp-post-exploitation/ {{#endref}} {{#ref}} gcp-persistence/ {{#endref}} ### Publicly Exposed Services While enumerating GCP services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\ As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**. In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in: {{#ref}} https://book.hacktricks.wiki/ {{#endref}} ## GCP <--> Workspace Pivoting **Compromising** principals in **one** platform might allow an attacker to **compromise the other one**, check it in: {{#ref}} gcp-to-workspace-pivoting/ {{#endref}} ## Automatic Tools - In the **GCloud console**, in [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) you can see resources and IAMs being used by project. - Here you can see the assets supported by this API: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types) - Check **tools** that can be [**used in several clouds here**](../pentesting-cloud-methodology.md). - [**gcp_scanner**](https://github.com/google/gcp_scanner): This is a GCP resource scanner that can help determine what **level of access certain credentials posses** on GCP. ```bash # Install git clone https://github.com/google/gcp_scanner.git cd gcp_scanner virtualenv -p python3 venv source venv/bin/activate pip install -r requirements.txt # Execute with gcloud creds python3 __main__.py -o /tmp/output/ -g "$HOME/.config/gcloud" ``` - [**gcp_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Bash script to enumerate a GCP environment using gcloud cli and saving the results in a file. - [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Scripts to enumerate high IAM privileges and to escalate privileges in GCP abusing them (I couldn’t make run the enumerate script). - [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Script to bruteforce your permissions. ## gcloud config & debug ```bash # Login so gcloud can use your credentials gcloud auth login gcloud config set project security-devbox gcloud auth print-access-token # Login so SDKs can use your user credentials gcloud auth application-default login gcloud auth application-default set-quota-project security-devbox gcloud auth application-default print-access-token # Update gcloud gcloud components update ``` ### Capture gcloud, gsutil... network Remember that you can use the **parameter** **`--log-http`** with the **`gcloud`** cli to **print** the **requests** the tool is performing. If you don't want the logs to redact the token value use `gcloud config set log_http_redact_token false` Moreover, to intercept the communication: ```bash gcloud config set proxy/address 127.0.0.1 gcloud config set proxy/port 8080 gcloud config set proxy/type http gcloud config set auth/disable_ssl_validation True # If you don't want to completely disable ssl_validation use: gcloud config set core/custom_ca_certs_file cert.pem # Back to normal gcloud config unset proxy/address gcloud config unset proxy/port gcloud config unset proxy/type gcloud config unset auth/disable_ssl_validation gcloud config unset core/custom_ca_certs_file ``` ### OAuth token configure in gcloud In order to **use an exfiltrated service account OAuth token from the metadata endpoint** you can just do: ```bash # Via env vars export CLOUDSDK_AUTH_ACCESS_TOKEN= gcloud projects list # Via setup echo "" > /some/path/to/token gcloud config set auth/access_token_file /some/path/to/token gcloud projects list gcloud config unset auth/access_token_file ``` ## References - [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) {{#include ../../banners/hacktricks-training.md}}