# GCP - Cloud Build Unauthenticated Enum {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## Cloud Build For more information about Cloud Build check: {% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %} [gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md) {% endcontent-ref %} ### cloudbuild.yml If you compromise write access over a repository containing a file named **`cloudbuild.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a Cloud Build and exfiltrate the secrets, compromise what is done and also compromise the **Cloud Build service account.** {% hint style="info" %} Note that GCP has the option to allow administrators to control the execution of build systems from external PRs via "Comment Control". Comment Control is a feature where collaborators/project owners **need to comment “/gcbrun” to trigger the build** against the PR and using this feature inherently prevents anyone on the internet from triggering your build systems. {% endhint %} For some related information you could check the page about how to attack Github Actions (similar to this): {% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %} [abusing-github-actions](../../../pentesting-ci-cd/github-security/abusing-github-actions/) {% endcontent-ref %} ### PR Approvals When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`.
{% hint style="danger" %} Therefore, is this is set to **`Not required`**, an attacker could perform a **PR to the branch** that will trigger the execution adding the malicious code execution to the **`cloudbuild.yml`** file and compromise the cloudbuild execution (note that cloudbuild will download the code FROM the PR, so it will execute the malicious **`cloudbuild.yml`**). {% endhint %} Moreover, it's easy to see if some cloudbuild execution needs to be performed when you send a PR because it appears in Github:
{% hint style="warning" %} Then, even if the cloudbuild is not executed the attacker will be able to see the **project name of a GCP project** that belongs to the company. {% endhint %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}