HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - Deploymentmaneger Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

deploymentmanager

deploymentmanager.deployments.create

This single permission lets you launch new deployments of resources into GCP with arbitrary service accounts. You could for example launch a compute instance with a SA to escalate to it.

You could actually launch any resource listed in gcloud deployment-manager types list

In the original research following script is used to deploy a compute instance, however that script won't work. Check a script to automate the creation, exploit and cleaning of a vuln environment here.

deploymentmanager.deployments.update

This is like the previous abuse but instead of creating a new deployment, you modifies one already existing (so be careful)

Check a script to automate the creation, exploit and cleaning of a vuln environment here.

deploymentmanager.deployments.setIamPolicy

This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previous deploymentmanager.deployments.create section.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousGCP - Container PrivescNextGCP - IAM Privesc

Last updated