gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6cd2d68471f16bef79926683e4f9acba1bcf77f4
hacktricks-cloud/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md
carlospolop 6cd2d68471 gcp
2025-11-22 19:35:20 +01:00

103 lines
3.4 KiB
Markdown
Raw Blame History

# GCP - Sourcerepos Privesc
{{#include ../../../banners/hacktricks-training.md}}
## Source Repositories
For more information about Source Repositories check:
{{#ref}}
../gcp-services/gcp-source-repositories-enum.md
{{#endref}}
### `source.repos.get`
With this permission it's possible to download the repository locally:
<details><summary>Clone source repository</summary>
```bash
gcloud source repos clone <repo-name> --project=<project-uniq-name>
```
</details>
### `source.repos.update`
A principal with this permission **will be able to write code inside a repository cloned with `gcloud source repos clone <repo>`**. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like:
- Owner
- Editor
- Source Repository Administrator (`roles/source.admin`)
- Source Repository Writer (`roles/source.writer`)
To write just perform a regular **`git push`**.
### `source.repos.setIamPolicy`
With this permission an attacker could grant himself the previous permissions.
### Secret access
If the attacker has **access to the secrets** where the tokens are stored, he will be able to steal them. For more info about how to access a secret check:
{{#ref}}
gcp-secretmanager-privesc.md
{{#endref}}
### Add SSH keys
It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`** and can be configured in [https://source.cloud.google.com/user/ssh_keys](https://source.cloud.google.com/user/ssh_keys)
Once your ssh key is set, you can access a repo with:
<details><summary>Clone repository using SSH</summary>
```bash
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
```
</details>
And then use **`git`** commands are per usual.
### Manual Credentials
It's possible to create manual credentials to access the Source Repositories:
<figure><img src="../../../images/image (324).png" alt=""><figcaption></figcaption></figure>
Clicking on the first link it will direct you to [https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3](https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&state&authuser=3)
Which will prompt an **Oauth authorization prompt** to give access to **Google Cloud Development**. So you will need either the **credentials of the user** or an **open session in the browser** for this.
This will send you to a page with a **bash script to execute** and configure a git cookie in **`$HOME/.gitcookies`**
<figure><img src="../../../images/image (323).png" alt=""><figcaption></figcaption></figure>
Executing the script you can then use git clone, push... and it will work.
### `source.repos.updateProjectConfig`
With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys:
<details><summary>Disable pushblock and modify pub/sub configuration</summary>
```bash
gcloud source project-configs update --disable-pushblock
```
You can also configure a different pub/sub topic or even disable it completely:
```bash
gcloud source project-configs update --remove-topic=REMOVE_TOPIC
gcloud source project-configs update --remove-topic=UPDATE_TOPIC
```
</details>
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink