hacktricks-cloud/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md

# GCP - Sourcerepos Privesc

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Source Repositories

For more information about Source Repositories check:

{% content-ref url="../gcp-services/gcp-source-repositories-enum.md" %}
[gcp-source-repositories-enum.md](../gcp-services/gcp-source-repositories-enum.md)
{% endcontent-ref %}

### `source.repos.get`

With this permission it's possible to download the repository locally:

```bash
gcloud source repos clone <repo-name> --project=<project-uniq-name>
```

### `source.repos.update`

A principal with this permission **will be able to write code inside a repository cloned with `gcloud source repos clone <repo>`**. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like:

* Owner
* Editor
* Source Repository Administrator (`roles/source.admin`)
* Source Repository Writer (`roles/source.writer`)

To write just perform a regular **`git push`**.

### `source.repos.setIamPolicy`

With this permission an attacker could grant himself the previous permissions.

### Secret access

If the attacker has **access to the secrets** where the tokens are stored, he will be able to steal them. For more info about how to access a secret check:

{% content-ref url="gcp-secretmanager-privesc.md" %}
[gcp-secretmanager-privesc.md](gcp-secretmanager-privesc.md)
{% endcontent-ref %}

### Add SSH keys

It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`** and can be configured in [https://source.cloud.google.com/user/ssh\_keys](https://source.cloud.google.com/user/ssh_keys)

Once your ssh key is set, you can access a repo with:

{% code overflow="wrap" %}
```bash
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
```
{% endcode %}

And then use **`git`** commands are per usual.

### Manual Credentials

It's possible to create manual credentials to access the Source Repositories:

<figure><img src="../../../.gitbook/assets/image (324).png" alt=""><figcaption></figcaption></figure>

Clicking on the first link it will direct you to [https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3](https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3)

Which will prompt an **Oauth authorization prompt** to give access to **Google Cloud Development**. So you will need either the **credentials of the user** or an **open session in the browser** for this.

This will send you to a page with a **bash script to execute** and configure a git cookie in **`$HOME/.gitcookies`**

<figure><img src="../../../.gitbook/assets/image (323).png" alt=""><figcaption></figcaption></figure>

Executing the script you can then use git clone, push... and it will work.

### `source.repos.updateProjectConfig`

With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys:

```bash
gcloud source project-configs update --disable-pushblock
```

You can also configure a different pub/sub topic or even disable it completely:

```bash
gcloud source project-configs update --remove-topic=REMOVE_TOPIC
gcloud source project-configs update --remove-topic=UPDATE_TOPIC
```

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}