GCP - Deploymentmaneger Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

deploymentmanager

`deploymentmanager.deployments.create`

This single permission lets you launch new deployments of resources into GCP with arbitrary service accounts. You could for example launch a compute instance with a SA to escalate to it.

You could actually launch any resource listed in gcloud deployment-manager types list

In the original research following script is used to deploy a compute instance, however that script won't work. Check a script to automate the creation, exploit and cleaning of a vuln environment here.

`deploymentmanager.deployments.update`

This is like the previous abuse but instead of creating a new deployment, you modifies one already existing (so be careful)

Check a script to automate the creation, exploit and cleaning of a vuln environment here.

`deploymentmanager.deployments.setIamPolicy`

This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previous deploymentmanager.deployments.create section.

References

https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Container Privesc NextGCP - IAM Privesc

Last updated 4 months ago