gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-22 23:26:41 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
2934cfc93e4a47517903cdd34b75e2018eff2812
hacktricks-cloud/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

259 lines
12 KiB
Markdown
Raw Blame History

# GCP - IAM, Principals & Org Policies Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Service Accounts
For an intro about what is a service account check:
{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}
### Enumeration
A service account always belongs to a project:
```bash
gcloud iam service-accounts list --project <project>
```
## Users & Groups
For an intro about how Users & Groups work in GCP check:
{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}
### Enumeration
With the permissions **`serviceusage.services.enable`** and **`serviceusage.services.use`** it's possible to **enable services** in a project and use them.
{% hint style="danger" %}
Note that by default, Workspace users are granted the role **Project Creator**, giving them access to **create new projects**. When a user creates a project, he is granted the **`owner`** role over it. So, he could **enable these services over the project to be able to enumerate Workspace**.
However, notice that it's also needed to have **enough permissions in Workspace** to be able to call these APIs.
{% endhint %}
If you can **enable the `admin` service** and if your user has **enough privileges in workspace,** you could **enumerate all groups & users** with the following lines.\
Even if it says **`identity groups`**, it also returns **users without any groups**:
{% code overflow="wrap" %}
```bash
# Enable admin
gcloud services enable admin.googleapis.com
gcloud services enable cloudidentity.googleapis.com
# Using admin.googleapis.com
## List all users
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud beta identity groups preview --customer <workspace-id>
# Using cloudidentity.googleapis.com
## List groups of a user (you can list at least the groups you belong to)
gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
## List Group Members (you can list at least the groups you belong to)
gcloud identity groups memberships list --group-email=<email>
### Make it transitive
gcloud identity groups memberships search-transitive-memberships --group-email=<email>
## Get a graph (if you have enough permissions)
gcloud identity groups memberships get-membership-graph --member-email=<email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
```
{% endcode %}
{% hint style="success" %}
In the previous examples the param `--labels` is required, so a generic value is used (it's not requires if you used the API directly like [**PurplePanda does in here**](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc_groups_users.py).
{% endhint %}
Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:
<figure><img src="../../../.gitbook/assets/image (193).png" alt=""><figcaption></figcaption></figure>
## IAM
Check [**this for basic information about IAM**](../gcp-basic-information/#iam-roles).
### Default Permissions
From the [**docs**](https://cloud.google.com/resource-manager/docs/default-access-control): When an organization resource is created, all users in your domain are granted the **Billing Account Creator** and **Project Creator** roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.
These **roles** grant the **permissions**:
* `billing.accounts.create` and `resourcemanager.organizations.get`
* `resourcemanager.organizations.get` and `resourcemanager.projects.create`
Moreover, when a user creates a project, he is **granted owner of that project automatically** according to the [docs](https://cloud.google.com/resource-manager/docs/access-control-proj). Therefore, by default, a user will be able to create a project and run any service on it (miners? Workspace enumeration? ...)
{% hint style="danger" %}
The highest privilege in a GCP Organization is the **Organization Administrator** role.
{% endhint %}
### set-iam-policy vs add-iam-policy-binding
In most of the services you will be able to change the permissions over a resource using the method **`add-iam-policy-binding`** or **`set-iam-policy`**. The main difference is that **`add-iam-policy-binding` adds a new role binding** to the existent IAM policy while **`set-iam-policy`** will **delete the previously** granted permissions and **set only the ones** indicated in the command.
### Enumeration
```bash
# Roles
## List roles
gcloud iam roles list --project $PROJECT_ID # List only custom roles
gcloud iam roles list --filter='etag:AA=='
## Get perms and description of role
gcloud iam roles describe roles/container.admin
gcloud iam roles describe --project <proj-name> <role-name>
# Policies
gcloud organizations get-iam-policy <org_id>
gcloud resource-manager folders get-iam-policy <folder-id>
gcloud projects get-iam-policy <project-id>
# MISC
## Testable permissions in resource
gcloud iam list-testable-permissions --filter "NOT apiDisabled: true" <resource>
## Grantable roles to a resource
gcloud iam list-grantable-roles <project URL>
```
### cloudasset IAM Enumeration
There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.
* The permission **`cloudasset.assets.searchAllIamPolicies`** can request **all the iam policies** inside a resource.
```bash
gcloud asset search-all-iam-policies #By default uses current configured project
gcloud asset search-all-iam-policies --scope folders/1234567
gcloud asset search-all-iam-policies --scope organizations/123456
gcloud asset search-all-iam-policies --scope projects/project-id-123123
```
* The permission **`cloudasset.assets.analyzeIamPolicy`** can request **all the iam policies** of a principal inside a resource.
```bash
# Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
gcloud asset analyze-iam-policy --organization=<org-id> \
--identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --folder=<folder-id> \
--identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --project=<project-name> \
--identity='user:email@hacktricks.xyz'
```
* The permission **`cloudasset.assets.searchAllResources`** allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.
```bash
gcloud asset search-all-resources --scope projects/<proj-name>
gcloud asset search-all-resources --scope folders/1234567
gcloud asset search-all-resources --scope organizations/123456
```
* The permission **`cloudasset.assets.analyzeMove`** but be useful to also retrieve policies affecting a resource like a project
```bash
gcloud asset analyze-move --project=<proj-name> \
--destination-organization=609216679593
```
* I suppose the permission **`cloudasset.assets.queryIamPolicy`** could also give access to find permissions of principals
```bash
# But, when running something like this
gcloud asset query --project=<proj> --statement='SELECT * FROM compute_googleapis_com_Instance'
# I get the error
ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing
```
### testIamPermissions enumeration
{% hint style="danger" %}
If you **cannot access IAM information** using the previous methods and you are in a Red Team. You could **use the tool**[ **https://github.com/carlospolop/bf\_my\_gcp\_perms**](https://github.com/carlospolop/bf_my_gcp_perms) **to brute-force your current permissions.**
However, note that the service **`cloudresourcemanager.googleapis.com`** needs to be enabled.
{% endhint %}
### Privesc
In the following page you can check how to **abuse IAM permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-iam-privesc.md" %}
[gcp-iam-privesc.md](../gcp-privilege-escalation/gcp-iam-privesc.md)
{% endcontent-ref %}
### Unauthenticated Enum <a href="#service-account-impersonation" id="service-account-impersonation"></a>
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md" %}
[gcp-iam-principals-and-org-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation <a href="#service-account-impersonation" id="service-account-impersonation"></a>
{% content-ref url="../gcp-post-exploitation/gcp-iam-post-exploitation.md" %}
[gcp-iam-post-exploitation.md](../gcp-post-exploitation/gcp-iam-post-exploitation.md)
{% endcontent-ref %}
### Persistence
If you have high privileges you could:
* Create new SAs (or users if in Workspace)
* Give principals controlled by yourself more permissions
* Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
*
## Org Policies
For an intro about what Org Policies are check:
{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}
The IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies **restrict how those services can be used or which features are disabled**. This helps in order to improve the least privilege of each resource in the GCP environment.
```bash
gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
gcloud resource-manager org-policies list --folder=FOLDER_ID
gcloud resource-manager org-policies list --project=PROJECT_ID
```
### Privesc
In the following page you can check how to **abuse org policies permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-orgpolicy-privesc.md" %}
[gcp-orgpolicy-privesc.md](../gcp-privilege-escalation/gcp-orgpolicy-privesc.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink