Links

GCP - Cloudscheduler Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

cloudscheduler

cloudscheduler.jobs.create , iam.serviceAccounts.actAs, (cloudscheduler.locations.list)

An attacker with these permissions could exploit Cloud Scheduler to authenticate cron jobs as a specific Service Account. By crafting an HTTP POST request, the attacker schedules actions, like creating a Storage bucket, to execute under the Service Account's identity. This method leverages the Scheduler's ability to target *.googleapis.com endpoints and authenticate requests, allowing the attacker to manipulate Google API endpoints directly using a simple gcloud command.
Example to create a new job that will use a specific Service Account to create a new Storage bucket on our behalf, we could run the following command:
gcloud scheduler jobs create http test –schedule='* * * * *' –uri='https://storage.googleapis.com/storage/v1/b?project=<PROJECT-ID>' --message-body "{'name':'new-bucket-name'}" --oauth-service-account-email 111111111111[email protected] –headers Content-Type=application/json
To escalate privileges, an attacker merely crafts an HTTP request targeting the desired API, impersonating the specified Service Account

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: