Threat Research

“Getting Started with GCPwn: Parts 2 & 3 Overview”

Netspi

Two-part overview of GCPwn exploitation scenarios in Google Cloud Platform, focusing on credential access, project pivoting, and data exfiltration through IAM misconfigurations. It emphasizes enumeration of IAM permissions and using service accounts and ADC to expand access across projects.
#GCPwn #NetSPI #SecretsManager #CloudFunctions #HMACKeys

Keypoints

  • Step 0 establishes breach premises via plaintext credentials discovery.
  • Step 1 covers setting up email/password credentials with gcloud CLI for ADC route.
  • Step 2 launches GCPwn with Application Default Credentials (ADC) to generate credential sets.
  • Step 3 performs reconnaissance in the target project to enumerate resources and permissions.
  • Step 4 pivots to a second project using a Service Account Key as the pivot vector.
  • Step 5 enumerates buckets and secrets to locate sensitive data and HMAC keys.
  • Step 6 downloads bucket content using HMAC keys and SigV4/XML API interoperability.
  • Step 7 creates a Cloud Function to pivot to an attached Service Account for persistence.
  • Step 8 reviews IAM bindings and creates a new Service Account Key for persistence.
  • Step 9 expands reach by adding new projects and continuing enumeration for exploitation opportunities.

MITRE Techniques

  • [T1003] Credential Dumping – Accessing plaintext credentials from files. “Procedure: Accessing plaintext credentials from files.”
  • [T1098] Account Manipulation – Setting up email/password credentials to gain access. “Procedure: Setting up email/password credentials to gain access.”
  • [T1132] Service Account Token Creation – Creating service account keys for persistence. “Procedure: Creating service account keys for persistence.”
  • [T1552] Credential Access – Using HMAC keys to access cloud storage buckets. “Procedure: Using HMAC keys to access cloud storage buckets.”
  • [T1502] Cloud Service Dashboard – Using GCPwn to enumerate resources and permissions across projects. “Procedure: Using GCPwn to enumerate resources and permissions across projects.”

Indicators of Compromise

  • [Email] [email protected] – Found in tokeninfo response showcasing the user’s email.
  • [Service Account] deployer-service-account@staging-project-1-426001.iam.gserviceaccount.com – Service account used during pivot steps.
  • [Service Account] testbench-serviceaccount-multi@staging-project-1-426001.iam.gserviceaccount.com – Service account used to obtain tokens via cloud function/pivot steps.
  • [Bucket] old-development-bucket-9282734 – Bucket enumerated during Step 5.
  • [Bucket] service-account-details-2323232 – Bucket containing service account keys and related notes.
  • [Secret] ServiceAccountHMACKeys-388372 – Secret in Secrets Manager containing HMAC keys.
  • [File] my_staging_service_key.json – Service account key file downloaded from a bucket.
  • [File] staging-project-1-426001-da65b2807066.json – Service account key JSON content discovered.
  • [IP] 169.254.169.254 – AWS/SIGV4-style metadata endpoint used by cloud function payloads.
  • [URL] https://oauth2.googleapis.com/tokeninfo – Token info endpoint queried to validate credentials.

Read more: https://www.netspi.com/blog/technical-blog/cloud-pentesting/introduction-to-gcpwn-parts-2-and-3/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint