GCPwn is a Python framework that consolidates GCP attack scripts and credential management for pentesting Google Cloud environments. Part 1 covers core concepts, installation, credential handling, and how to start enumerating and exploiting services, with future parts promising deeper walkthroughs. #GCPwn #RhinoSecurity #GCPBucketBrute #Pacu #GoogleCloudPlatform
Keypoints
- GCPwn is a Python-based framework designed to consolidate GCP attack scripts and manage multiple credentials (e.g., service account keys) in one place.
- It leverages Google’s newer Python SDKs instead of older libraries to interact with GCP services.
- The project draws inspiration from Rhino Security’s Pacu, a Python framework for testing AWS environments.
- Core traits include handling different credential types, packaging enumeration/exploitation modules for quick use, passively tracking permissions, and enabling brute-forcing via testIamPermissions.
- The blog is divided into 3 parts; Part 1 covers core concepts and high-level usage, while Parts 2 and 3 will provide example enumeration/exploitation scenarios in a test environment.
- Installation can be done via a setup script or Docker; credentials can be added (ADC, OAuth2 tokens, service account keys) and modules are selected to run (enumeration, exploitation, or unauthenticated modules).
MITRE Techniques
- [T1003] Credential Dumping – GCPwn manages multiple sets of credentials, including service account keys and OAuth2 tokens, allowing for credential enumeration and exploitation. [ “GCPwn manages multiple sets of credentials, including service account keys and OAuth2 tokens, allowing for credential enumeration and exploitation.” ]
- [T1069] Permission Enumeration – GCPwn utilizes the testIamPermissions API to enumerate permissions for various resources, enabling identification of potential privilege escalation paths. [ “testIamPermissions API to enumerate permissions for various resources, enabling identification of potential privilege escalation paths.” ]
- [T1210] Exploitation of Remote Services – GCPwn includes exploit modules that can manipulate IAM policies, allowing for privilege escalation or unauthorized access to resources. [ “Exploitation modules that can manipulate IAM policies, allowing for privilege escalation or unauthorized access to resources.” ]
- [T1098] Account Manipulation – GCPwn’s exploit modules can modify IAM policies to add users or service accounts, effectively granting them elevated permissions. [ “exploit setIamPolicy on the target resource, usually to set yourself as some type of admin over the resource” ]
Indicators of Compromise
- [Credentials] context – Email: <email>, Password: <password>, and OAuth2 Token: ya29.a0AXooC[REDACTED]
- [Credential JSON] context – Service account JSON key block (example: { “type”: “service_account”, “project_id”: “[Project_ID]”, “private_key_id”: “[private_key_id]”, “client_email”: “[client_email]”, “client_id”: “[client_id]”, “token_uri”: “https://oauth2.googleapis.com/token”, “auth_uri”: “https://accounts.google.com/o/oauth2/auth”, “auth_provider_x509_cert_url”: “https://www.googleapis.com/oauth2/v1/certs”, “client_x509_cert_url”: “https://www.googleapis.com/robot/v1/metadata/x509/tes[TRUNCATED]” })
- [Credential File] context – Service account keys JSON file content (example: { “type”: “service_account”, … })
- [URLs] context – https://accounts.google.com/o/oauth2/auth, https://oauth2.googleapis.com/token, https://www.googleapis.com/oauth2/v1/certs
Read more: https://www.netspi.com/blog/technical-blog/cloud-pentesting/introduction-to-gcpwn-part-1/