GCP - AppEngine Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

App Engine

For more information about App Engine check:

appengine.applications.get, appengine.instances.get, appengine.instances.list, appengine.operations.get, appengine.operations.list,,, appengine.versions.create, appengine.versions.get, appengine.versions.list, cloudbuild.builds.get,iam.serviceAccounts.actAs, resourcemanager.projects.get, storage.objects.create, storage.objects.list

Those are the needed permissions to deploy an App using gcloud cli. Maybe the get and list ones could be avoided.
By default, the name of the App service is going to be default, and there can be only 1 instance with the same name. To change it and create a second App, in app.yaml, change the value of the root key to something like service: my-second-app
cd python-docs-samples/appengine/flexible/hello_world
gcloud app deploy #Upload and start application inside the folder
Give it at least 10-15min, if it doesn't work call deploy another of times and wait some minutes.
It's possible to indicate the Service Account to use but by default, the App Engine default SA is used.
The URL of the application is something like https://<proj-name> or https://<service_name>-dot-<proj-name>

appengine.instances.enableDebug, appengine.instances.get, appengine.instances.list, appengine.operations.get,,, appengine.versions.get, appengine.versions.list, compute.projects.get

With these permissions, it's possible to login via ssh in App Engine instances of type flexible (not standard). Some of the list and get permissions could not be really needed.
gcloud app instances ssh --service <app-name> --version <version-id> <ID>

appengine.applications.update, appengine.operations.get

I think this just change the background SA google will use to setup the applications, so I don't think you can abuse this to steal the service account.
gcloud app update --service-account=<sa_email>

appengine.versions.getFileContents, appengine.versions.update

Not sure how to use these permissions or if they are useful (note that when you change the code a new version is created so I don't know if you can just update the code or the IAM role of one, but I guess you should be able to, maybe changing the code inside the bucket??).

Write Access over the buckets

Even with write access over the buckets where the source code is located it WASN'T possible to execute arbitrary code by modifying the source code and the manifest.json. Maybe if you are monitoring the bucket and detect the moment where a new version is created and the source code and manifest is uploaded, it might be possible to change them so the new version uses the backdoored ones??
It also looks like container layers are stored in the bucket, maybe changing those?
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: