GCP - Sourcerepos Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about Source Repositories check:
source.repos.get
With this permission it's possible to download the repository locally:
source.repos.update
A principal with this permission will be able to write code inside a repository cloned with gcloud source repos clone <repo>
. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like:
Owner
Editor
Source Repository Administrator (roles/source.admin
)
Source Repository Writer (roles/source.writer
)
To write just perform a regular git push
.
source.repos.setIamPolicy
With this permission an attacker could grant himself the previous permissions.
If the attacker has access to the secrets where the tokens are stored, he will be able to steal them. For more info about how to access a secret check:
It's possible to add ssh keys to the Source Repository project in the web console. It makes a post request to /v1/sshKeys:add
and can be configured in https://source.cloud.google.com/user/ssh_keys
Once your ssh key is set, you can access a repo with:
And then use git
commands are per usual.
It's possible to create manual credentials to access the Source Repositories:
Clicking on the first link it will direct you to https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&state&authuser=3
Which will prompt an Oauth authorization prompt to give access to Google Cloud Development. So you will need either the credentials of the user or an open session in the browser for this.
This will send you to a page with a bash script to execute and configure a git cookie in $HOME/.gitcookies
Executing the script you can then use git clone, push... and it will work.
source.repos.updateProjectConfig
With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys:
You can also configure a different pub/sub topic or even disable it completely:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)