GCP - Cloud Scheduler Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Google Cloud Scheduler is a fully managed cron job service that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to automate various tasks like updates or batch processing on a regular schedule.
Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code.
At the moment of this writing these are the actions this service allows to schedule:
HTTP: Stuur 'n HTTP versoek wat die koptekste en liggaam van die versoek definieer.
Pub/Sub: Stuur 'n boodskap na 'n spesifieke onderwerp.
App Engine HTTP: Stuur 'n HTTP versoek na 'n app wat in App Engine gebou is.
Workflows: Roep 'n GCP Workflow aan.
'n Diensrekening is nie altyd vereis deur elke skeduleerder nie. Die Pub/Sub en App Engine HTTP tipes vereis geen diensrekening nie. Die Workflow vereis 'n diensrekening, maar dit sal net die workflow aanroep. Laastens, die gewone HTTP tipe vereis nie 'n diensrekening nie, maar dit is moontlik om aan te dui dat 'n soort van auth vereis word deur die workflow en om 'n OAuth-token of 'n OIDC-token by die gestuurde HTTP versoek te voeg.
Therefore, it's possible to steal the OIDC token and abuse the OAuth token from service accounts abusing the HTTP type. More on this in the privilege escalation page.
Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be cloud-platform.
Leer & oefen AWS Hacking:HackTricks Opleiding AWS Red Team Expert (ARTE) Leer & oefen GCP Hacking: HackTricks Opleiding GCP Red Team Expert (GRTE)
