Notes on GCP - Google Cloud Platform

This post is a collection of resources, techniques and knowledge around security on GCP. The post heavily relies on public resources.

The post in sections:

Resource Hierarcy

To better understand GCP, it is important to start from the building blocks of this platform: the organizations, folders, projects and resources. Every GCP environment consists of these 4 levels.

In a tree structure, a GCP environment looks like this:

/organization
|- folder/s
   |- project/s
      |- resource/s

For more information, see the official documentation at [1].

Unauthenticated Enumeration

Identify if a domain is linked to GCP

It is possible to identify if a domain is associated with a GCP organization, by replacing the FQDN placeholder in the URL listed below and navigating to it.

If the domain is not associated with a GCP organization, the server returns Google Workspace - Server error. If the domain is associated with a GCP organization and the organization uses a third-party identity provider (IdP) the browser redirects to the IdP’s login page. Otherwise, it redirects to accounts.google.com.

https://www.google.com/a/<FQDN>/ServiceLogin?continue=https://console.cloud.google.com

gcloud cli

gcloud is a command line interface utility that is used to create and manage GCP resources.

Authentication

gcloud auth login
gcloud auth activate-service-account --key-file="/path/to/json"

gcloud auth print-access-token

List organizations

gcloud organizations list

List projects

gcloud projects list

List compute resources

gcloud compute list

List service accounts

Direct:

glcoud iam service-accounts list

Via Service Account impersonation:

gcloud iam service-accounts list –impersonate-service-account=”$SA_ID@$PROJECT_ID.iam.gserviceaccount.com”

IAM Permission Enumeration

Very often, due to security hardening the enumeration of IAM policies using standard gcloud cli commands is not allowed. However, there is an additional opportunity for permission enumeration on GCP resources. This involves the testIamPermissions method. For more information in relation to the method, see the official documentation at [4].

Permission enumeration on GCP resources facilitates reconnaissance to identify privilege escalation and lateral movement opportunities.

Service Account

Test for Impersonation - Service Account Token Creator

Relevant Role: roles/iam.serviceAccountTokenCreator

The IAM REST API has the method projects.serviceAccounts.testIamPermissions that allows the caller to determine if they have the specified permissions on a Service Account.

The following request test if the caller can impersonate the provided service account:

TOKEN=$(gcloud auth print-access-token)
PERMISSIONS='[ "iam.serviceAccounts.getAccessToken", "iam.serviceAccounts.signBlob", "iam.serviceAccounts.signJwt" ]'
PROJECT_ID=""
SERVICE_ACCOUNT_EMAIL=""

curl -H "Authorization: Bearer $TOKEN" -d "{ "permissions": $PERMISSIONS }" "https://iam.googleapis.com/v1/projects/$PROJECT_ID/serviceAccounts/$SERVICE_ACCOUNT_EMAIL:testIamPermissions"

The response is a JSON blob that includes the permissions that the caller has on the provided service account.

Test for Attachment - Service Account User

Relevant Role: roles/iam.serviceAccountUser

Test if the caller can use the provided service account to attach it to GCP resoruces so that the resource can run code using that identity.

TOKEN=$(gcloud auth print-access-token)
PERMISSIONS='[ "iam.serviceAccounts.actAs", "iam.serviceAccounts.get", "iam.serviceAccounts.list" ]'
PROJECT_ID=""
SERVICE_ACCOUNT_EMAIL=""

curl -H "Authorization: Bearer $TOKEN" -d "{ "permissions": $PERMISSIONS }" "https://iam.googleapis.com/v1/projects/$PROJECT_ID/serviceAccounts/$SERVICE_ACCOUNT_EMAIL:testIamPermissions"

References

[1] https://docs.cloud.google.com/resource-manager/docs/resource-manager-overview#resource_hierarchy

[2] https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

[3] https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation

[4] https://docs.cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/testIamPermissions

tags: #GCP - Google Cloud Platform
View the software license agreement