From c1aee098b6e0177e82952db37e8eae9f3cbd3c0c Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Sun, 5 Jan 2025 16:03:29 +0100
Subject: [PATCH] actas in cloudbuild

---
 .../gcp-privilege-escalation/gcp-cloudbuild-privesc.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
index 8e6a7df1d..c7fe2f0be 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
@@ -10,7 +10,7 @@ For more information about Cloud Build check:
 ../gcp-services/gcp-cloud-build-enum.md
 {{#endref}}
 
-### `cloudbuild.builds.create`
+### `cloudbuild.builds.create`, `iam.serviceAccounts.actAs`
 
 With this permission you can **submit a cloud build**. The cloudbuild machine will have in it’s filesystem by **default a token of the cloudbuild Service Account**: `<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com`. However, you can **indicate any service account inside the project** in the cloudbuild configuration.\
 Therefore, you can just make the machine exfiltrate to your server the token or **get a reverse shell inside of it and get yourself the token** (the file containing the token might change).