GCP - App Engine Post Exploitation
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
App Engine
For information about App Engine check:
GCP - App Engine Enumappengine.memcache.addKey
| appengine.memcache.list
| appengine.memcache.getKey
| appengine.memcache.flush
With these permissions it's possible to:
Add a key
List keys
Get a key
Delete
However, I couldn't find any way to access this information from the cli, only from the web console where you need to know the Key type and the Key name, of from the app engine running app.
If you know easier ways to use these permissions send a Pull Request!
logging.views.access
With this permission it's possible to see the logs of the App:
The source code of all the versions and services are stored in the bucket with the name staging.<proj-id>.appspot.com
. If you have write access over it you can read the source code and search for vulnerabilities and sensitive information.
Modify source code to steal credentials if they are being sent or perform a defacement web attack.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)