GCP - Sourcerepos Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Source Repositories

For more information about Source Repositories check:

GCP - Source Repositories Enum

`source.repos.get`

With this permission it's possible to download the repository locally:

gcloud source repos clone <repo-name> --project=<project-uniq-name>

`source.repos.update`

A principal with this permission will be able to write code inside a repository cloned with gcloud source repos clone <repo>. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like:

Owner
Editor
Source Repository Administrator (roles/source.admin)
Source Repository Writer (roles/source.writer)

To write just perform a regular git push.

`source.repos.setIamPolicy`

With this permission an attacker could grant himself the previous permissions.

Secret access

If the attacker has access to the secrets where the tokens are stored, he will be able to steal them. For more info about how to access a secret check:

GCP - Secretmanager Privesc

Add SSH keys

It's possible to add ssh keys to the Source Repository project in the web console. It makes a post request to /v1/sshKeys:add and can be configured in https://source.cloud.google.com/user/ssh_keys

Once your ssh key is set, you can access a repo with:

git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>

And then use git commands are per usual.

Manual Credentials

It's possible to create manual credentials to access the Source Repositories:

Clicking on the first link it will direct you to https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&state&authuser=3

Which will prompt an Oauth authorization prompt to give access to Google Cloud Development. So you will need either the credentials of the user or an open session in the browser for this.

This will send you to a page with a bash script to execute and configure a git cookie in $HOME/.gitcookies

Executing the script you can then use git clone, push... and it will work.

`source.repos.updateProjectConfig`

With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys:

gcloud source project-configs update --disable-pushblock

You can also configure a different pub/sub topic or even disable it completely:

gcloud source project-configs update --remove-topic=REMOVE_TOPIC
gcloud source project-configs update --remove-topic=UPDATE_TOPIC

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Serviceusage Privesc NextGCP - Storage Privesc

Last updated 4 months ago