1.6 KiB
GCP - Cloud Run Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
Cloud Run
For more information about Cloud Run check:
{{#ref}} ../gcp-services/gcp-cloud-run-enum.md {{#endref}}
Delete CloudRun Job
The run.services.delete and run.services.get permissions, as well as run.jobs.delete, allow an identity to completely delete a Cloud Run service or job, including its configuration and history. In the hands of an attacker, this can cause immediate disruption to applications or critical workflows, resulting in a denial of service (DoS) for users and systems that depend on the service logic or essential scheduled tasks.
To delete a job, the following operation can be performed.
gcloud run jobs delete <JOB_NAME> --region=<REGION> --quiet
To delete a service, the following operation can be performed.
gcloud run services delete <SERVICE_NAME> --region=<REGION> --quiet
Access the images
If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables.
If the images are stored in repos inside the service Artifact Registry and the user has read access over the repos, he could also download the image from this service.
Modify & redeploy the image
Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending.
{{#include ../../../banners/hacktricks-training.md}}