On a recent engagement, I have jumped onto a small JSON file laying in a GitLab repository which looked very intriguing. Inside there it was written it’s a service account. I found out this is related to the Google Cloud Platform (GCP). Of course, I had to explore it more, however, I never had any prior experience with the GCP before. This post presents a short note and a few interesting references from which I learned how to move around in GCP.
Before we start
GCP has excellent documentation which I will be referring to. I think there is no better place to learn about how to move around on this platform. It is very well written compared to the other two other big cloud platforms.
Because service accounts are not user accounts, you will most likely not be able to use them directly in the Google Cloud Web Console (Web UI) to control the environment. I suggest you install the cloud SDK on your system – or use the excellent Google Cloud shell (my way to go) from GCP Web console. Google Cloud Shell is an interactive shell environment that makes it easy to experiment with GCP. It allows one to manage projects and resources from a web browser without installing anything on one’s system. Just start your own GCP project and experiment with the cloud shell.
How to authenticate with a service account
First, let’s see how a service account (JSON) file looks inside:
To see how to create one and play along with me, check this document about the creation of a service account in a project. Also, you would need at least two GCP projects. One project with a service account created, and the second project to authenticate with this account to the first project.
To authenticate with the just created service account, issue the command below. If you are using GCP cloud shell, first upload the service account JSON file to your cloud shell disk.
gcloud auth activate-service-account --project=<YOUR GCLOUD PROJECT> --key-file=<SERVICE ACCOUNT FILE>
Where –project supplied the project_id from the file and –key is the JSON file you just uploaded to your cloud shell.
This way you can authenticate with a service account created in one GCP project into a different GCP project you own.
Moving around inside – IAM roles
What can actually be controlled inside a GCP project using a particular service account, depends on the IAM roles assigned to that account.
You can view assigned roles and read more information about them by using the snippet below:
gcloud projects get-iam-policy <YOUR GCLOUD PROJECT> \ --flatten="bindings.members" \ --format='table(bindings.role)' \ --filter="bindings.members:<YOUR SERVICE ACCOUNT>"
As you read the next paragraphs in this post, you may notice some of the commands not giving you the result you would expect. If so, this is because your service account doesn’t have the specific roles and privileges assigned. In such case you should update your service account IAM roles in your project if you want to follow this post.
Additionally, during the engagement, you could find additional service accounts JSON files inside hosts or storage buckets. Some of them might have a higher access level than your current one. Obviously just authenticate like it was presented above and check permissions.
You can issue the command below to list all the service accounts for the given project:
gcloud iam service-accounts list
You could try to impersonate other service account and execute a command in the context of that account. This might not work because this requires a special “Service Account Token Creator Owner” IAM role assigned currently logged-in service account.
gcloud compute instances list --impersonate-service-account firstname.lastname@example.org
Getting into management console (GCP Web UI)
There is a possibility to add your own @gmail.com account to the GCP project management console. Currently, logged-in service account needs IAM Security Admin role. Try below command:
gcloud projects add-iam-policy-binding chosen-hacks-000001 --member user:<YOUR CONTROLED EMAIL>@gmail.com --role roles/editor
You can now try to login with controlled @gmail.com mail account to the management console, then look if you have access to additional project
Moving around inside – Compute Instances
Compute Instances for GCP mean VM instances – hosts with OSs like Linux and Windows. In case your service account has enough privileges, you could control them by connecting to them, creating accounts or starting/stopping. The command below will list all Compute Instances in the current project:
gcloud compute instances list
If you are lucky with permissions, you might be able to SSH into some of them with the following command:
gcloud compute ssh <INSTANCE-NAME>
If asked for a passphrase, try deleting your .ssh GCP config and set up a new one, then try to connect again:
Once you are in, just
sudo su to become root:
For Windows hosts, we need a username and a password in order to RDP in. Try to create a user with the following command:
gcloud compute reset-windows-password <INSTANCE-NAME> --user=<USERNAME>
This command will create the user if it account does not exists, otherwise it will reset its password.
There are other ways to access running instances, like modifying custom instance metadata. However I wanted this post to be very introductory, so if you want to learn more, go down to the bottom of this post where I put the list of reference links, from which I learned most of the tricks on how to escalate privileges for Compute Instances.
Moving around inside – Storage buckets
Besides Compute Instances, what I found interesting are Storage buckets. This service is for storing data in the Google Cloud. Organizations often keep there many files that are interesting from a red teamer’s perspective. To list the available storage buckets, issue the command below:
To list the contents of a storage bucket, issue this command:
gsutil ls gs://chosen-hacks-storage/
In order to go deeper into the folder structure, just add additional listed folder, as on the screenshot below:
Display the contents of some files using gsutil cat command:
Downloading is very easy as issuing cp command. It will download a file to your cloud shell disk.
This post is just scratching the surface of GCP services that you could access with an obtained service account. There are more services which could keep additional secrets. To list a few: databases, custom images, cloud functions even more… However, covering them would make this post too long. If you wish to learn more, please scroll down to the links in the Reference paragraph.
To sum up this post, I encourage you to play with GCP. You never know when you will land on a Compute Instance host or maybe you will find a service account file in a repository as I did.
I learned most of the stuff from this great Red Team Gitlab article. It is a very comprehensive post, which covers most interesting GCP services and explains how to move laterally and escalate privileges once inside. GitLab Red Team also presents tools that can be used for enumeration. Read it and bookmark it.
Another very interesting one is the two-part series by Rhino Security labs about GCP privilege escalation. I highly recommend to read and play. Part 1 and Part 2.
Some additional tools I found which be could useful for GCP enumeration:
- https://gitlab.com/gitlab-com/gl-security/gl-redteam/gcp_firewall_enum <– enumerate firewall and instances, then run Nmap/masscan on open ports
Excellent general cloud cheat sheet prepared by @dafthack: https://github.com/dafthack/CloudPentestCheatsheets