HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - Apikeys Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Apikeys

The following permissions are useful to create and steal API keys, not this from the docs: An API key is a simple encrypted string that identifies an application without any principal. They are useful for accessing public data anonymously, and are used to associate API requests with your project for quota and billing.

Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.

For more information about API Keys check:

pageGCP - API Keys Enum

For other ways to create API keys check:

pageGCP - Serviceusage Privesc

Brute Force API Key access

As you might not know which APIs are enabled in the project or the restrictions applied to the API key you found, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.

apikeys.keys.create

This permission allows to create an API key:

gcloud services api-keys create
Operation [operations/akmf.p7-[...]9] complete. Result: {
    "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
    "createTime":"2022-01-26T12:23:06.281029Z",
    "etag":"W/\"HOhA[...]==\"",
    "keyString":"AIzaSy[...]oU",
    "name":"projects/5[...]6/locations/global/keys/f707[...]e8",
    "uid":"f707[...]e8",
    "updateTime":"2022-01-26T12:23:06.378442Z"
}

You can find a script to automate the creation, exploit and cleaning of a vuln environment here.

Note that by default users have permissions to create new projects adn they are granted Owner role over the new project. So a user could create a project and an API key inside this project.

apikeys.keys.getKeyString , apikeys.keys.list

These permissions allows list and get all the apiKeys and get the Key:

for  key  in  $(gcloud services api-keys list --uri); do
	gcloud services api-keys get-key-string "$key"
done

You can find a script to automate the creation, exploit and cleaning of a vuln environment here.

apikeys.keys.undelete , apikeys.keys.list

These permissions allow you to list and regenerate deleted api keys. The API key is given in the output after the undelete is done:

gcloud services api-keys list --show-deleted
gcloud services api-keys undelete <key-uid>

Create Internal OAuth Application to phish other workers

Check the following page to learn how to do this, although this action belongs to the service clientauthconfig according to the docs:

pageGWS - Google Platforms Phishing
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousGCP - Privilege EscalationNextGCP - AppEngine Privesc

Last updated