gcloud auth list
returns multiple accounts available, something interesting is going on. You should generally see only the service account. If there is more than one, you can cycle through each using gcloud config set account [ACCOUNT]
while trying the various tasks in this blog.devstorage.read_only
. This grants read access to all storage buckets in the project. This can be devastating, which of course is great for us as an attacker.cloud-platform
scope is what we are really hoping for, as it will allow us to authenticate to any API function and leverage the full power of our assigned IAM permissions.compute.instanceAdmin
but the instance you've breached has been crippled with the scope limitation of https://www.googleapis.com/auth/compute.readonly
. This would prevent you from making any changes using the OAuth token that's automatically assigned to your instance.gcloud
command.GOOGLE_APPLICATION_CREDENTIALS
. This can be set to point to a service account key file.default
, which applies the following rules to all instances:default
network)gcloud
command to spit out all Compute Instances with open ports on the internet. You have to connect the dots between firewall rules, network tags, services accounts, and instances.gcloud iam roles list --filter='etag:AA=='
gcloud organizations get-iam-policy
gcloud projects get-iam-policy <project-id>
gcloud resource-manager folders get-iam-policy
gcloud identity groups memberships search-transitive-memberships [email protected]
gcloud iam roles describe roles/accessapproval.approver
gcloud iam list-testable-permissions --filter "NOT apiDisabled: true
gcloud iam list-grantable-roles <project URL>
gcloud iam roles list --project $PROJECT_ID
gcloud iam service-accounts list
gcloud compute instances list --quiet --format=json
, look for instances with either the specific scope you want or the auth/cloud-platform
all-inclusive scope.[email protected]
).[project-id]-[portion-of-key-id].json
. So, if your project name is test-project
then you can search the filesystem for test-project*.json
looking for this key file.gcloud
command to re-authenticate with this service account. You can do this on the instance, or on any machine that has the tools installed.https://www.googleapis.com/auth/cloud-platform
listed in the scopes, which means you are not limited by any instance-level access scopes. You now have full power to use all of your assigned IAM permissions.gcloud
will error out if you try to grant it a permission above Editor.[email protected]
. If you try to access Workforce API calls directly with that email, even with delegation enabled, you will fail. This is because the Workforce directory will not include the GCP service account's email addresses. Instead, to interact with Workforce, we need to actually impersonate valid Workforce users.list
(list items of that type), describe
(describe parent and children items) and get-iam-policy
(get policy attached to that specific resource).