# GCP Pentesting

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

**Before start pentesting** a **GCP** environment, there are a few **basics things you need to know** about how it works to help you understand what you need to do, how to find misconfigurations and how to exploit them.

Concepts such as **organization** hierarchy, **permissions** and other basic concepts are explained in:

{% content-ref url="gcp-basic-information/" %}
[gcp-basic-information](gcp-basic-information/)
{% endcontent-ref %}

## Labs to learn

* [https://gcpgoat.joshuajebaraj.com/](https://gcpgoat.joshuajebaraj.com/)
* [https://github.com/ine-labs/GCPGoat](https://github.com/ine-labs/GCPGoat)
* [https://github.com/lacioffi/GCP-pentest-lab/](https://github.com/lacioffi/GCP-pentest-lab/)
* [https://github.com/carlospolop/gcp\_privesc\_scripts](https://github.com/carlospolop/gcp_privesc_scripts)

## GCP Pentester/Red Team Methodology

In order to audit a GCP environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal GCP services an **external services** connected.

From a Red Team point of view, the **first step to compromise a GCP environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:

* **Leaks** in github (or similar) - OSINT
* **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/))
* **Password** reuse (password leaks)
* Vulnerabilities in GCP-Hosted Applications
  * [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
  * **Local File Read**
    * `/home/USERNAME/.config/gcloud/*`
    * `C:\Users\USERNAME\.config\gcloud\*`
* 3rd parties **breached**
* **Internal** Employee

Or by **compromising an unauthenticated service** exposed:

{% content-ref url="gcp-unauthenticated-enum-and-access/" %}
[gcp-unauthenticated-enum-and-access](gcp-unauthenticated-enum-and-access/)
{% endcontent-ref %}

Or if you are doing a **review** you could just **ask for credentials** with these roles:

{% content-ref url="gcp-permissions-for-a-pentest.md" %}
[gcp-permissions-for-a-pentest.md](gcp-permissions-for-a-pentest.md)
{% endcontent-ref %}

{% hint style="info" %}
After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
{% endhint %}

## Basic Enumeration

### **SSRF**

For more information about how to **enumerate GCP metadata** check the following hacktricks page:

{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440" %}

### Whoami

In GCP you can try several options to try to guess who you are:

{% code overflow="wrap" %}
```bash
#If you are inside a compromise machine
gcloud auth list
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo
gcloud auth print-identity-token #Get info from the token

#If you compromised a metadata token or somehow found an OAuth token
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=<token>" https://www.googleapis.com/oauth2/v1/tokeninfo
```
{% endcode %}

You can also use the API endpoint `/userinfo` to get more info about the user:

{% code overflow="wrap" %}
```bash
curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth $(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/userinfo

curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth <access_token>" https://www.googleapis.com/oauth2/v1/userinfo
```
{% endcode %}

### Org Enumeration

```bash
# Get organizations
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud resource-manager folders list --organization <org_number> # Get folders
gcloud projects list # Get projects
```

### Principals & IAM Enumeration

If you have enough permissions, **checking the privileges of each entity inside the GCP account** will help you understand what you and other identities can do and how to **escalate privileges**.

If you don't have enough permissions to enumerate IAM, you can **steal brute-force them** to figure them out.\
Check **how to do the numeration and brute-forcing** in:

{% content-ref url="gcp-services/gcp-iam-and-org-policies-enum.md" %}
[gcp-iam-and-org-policies-enum.md](gcp-services/gcp-iam-and-org-policies-enum.md)
{% endcontent-ref %}

{% hint style="info" %}
Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
In the following section you can check some ways to **enumerate some common services.**
{% endhint %}

## Services Enumeration

GCP has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets, how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:

{% content-ref url="gcp-services/" %}
[gcp-services](gcp-services/)
{% endcontent-ref %}

Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automatic-tools).

Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:

{% content-ref url="gcp-unauthenticated-enum-and-access/" %}
[gcp-unauthenticated-enum-and-access](gcp-unauthenticated-enum-and-access/)
{% endcontent-ref %}

## Privilege Escalation, Post Exploitation & Persistence

The most common way once you have obtained some cloud credentials or have compromised some service running inside a cloud is to **abuse misconfigured privileges** the compromised account may have. So, the first thing you should do is to enumerate your privileges.

Moreover, during this enumeration, remember that **permissions can be set at the highest level of "Organization"** as well.

{% content-ref url="gcp-privilege-escalation/" %}
[gcp-privilege-escalation](gcp-privilege-escalation/)
{% endcontent-ref %}

{% content-ref url="gcp-post-exploitation/" %}
[gcp-post-exploitation](gcp-post-exploitation/)
{% endcontent-ref %}

{% content-ref url="gcp-persistence/" %}
[gcp-persistence](gcp-persistence/)
{% endcontent-ref %}

### Publicly Exposed Services

While enumerating GCP services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.

In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:

{% embed url="https://book.hacktricks.xyz/" %}

## GCP <--> Workspace Pivoting

**Compromising** principals in **one** platform might allow an attacker to **compromise the other one**, check it in:

{% content-ref url="gcp-to-workspace-pivoting/" %}
[gcp-to-workspace-pivoting](gcp-to-workspace-pivoting/)
{% endcontent-ref %}

## Automatic Tools

* In the **GCloud console**, in [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) you can see resources and IAMs being used by project.
  * Here you can see the assets supported by this API: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
* Check **tools** that can be [**used in several clouds here**](../pentesting-cloud-methodology.md).
* [**gcp\_scanner**](https://github.com/google/gcp_scanner): This is a GCP resource scanner that can help determine what **level of access certain credentials posses** on GCP.

```bash
# Install
git clone https://github.com/google/gcp_scanner.git
cd gcp_scanner
virtualenv -p python3 venv
source venv/bin/activate
pip install -r requirements.txt
# Execute with gcloud creds
python3 __main__.py -o /tmp/output/ -g "$HOME/.config/gcloud"
```

* [**gcp\_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Bash script to enumerate a GCP environment using gcloud cli and saving the results in a file.
* [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Scripts to enumerate high IAM privileges and to escalate privileges in GCP abusing them (I couldn’t make run the enumerate script).
* [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Script to bruteforce your permissions.

## gcloud config & debug

```bash
# Login so gcloud can use your credentials
gcloud auth login
gcloud config set project security-devbox
gcloud auth print-access-token

# Login so SDKs can use your user credentials
gcloud auth application-default login
gcloud auth application-default set-quota-project security-devbox
gcloud auth application-default print-access-token

# Update gcloud
gcloud components update
```

### Capture gcloud, gsutil... network

Remember that you can use the **parameter** **`--log-http`** with the **`gcloud`** cli to **print** the **requests** the tool is performing. If you don't want the logs to redact the token value use `gcloud config set log_http_redact_token false`

Moreover, to intercept the communication:

```bash
gcloud config set proxy/address 127.0.0.1
gcloud config set proxy/port 8080
gcloud config set proxy/type http
gcloud config set auth/disable_ssl_validation True

# If you don't want to completely disable ssl_validation use:
gcloud config set core/custom_ca_certs_file cert.pem

# Back to normal
gcloud config unset proxy/address
gcloud config unset proxy/port
gcloud config unset proxy/type
gcloud config unset auth/disable_ssl_validation
gcloud config unset core/custom_ca_certs_file
```

### OAuth token configure in gcloud

In order to **use an exfiltrated service account OAuth token from the metadata endpoint** you can just do:

```bash
# Via env vars
export CLOUDSDK_AUTH_ACCESS_TOKEN=<token>
gcloud projects list

# Via setup
echo "<token>" > /some/path/to/token
gcloud config set auth/access_token_file /some/path/to/token
gcloud projects list
gcloud config unset auth/access_token_file
```

## References

* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}