GCP - Cloud Functions Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cloud Functions

Google Cloud Functions are designed to host your code, which gets executed in response to events, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.

Storage

The Cloud Functions code is stored in GCP Storage. Therefore, anyone with read access over buckets in GCP is going to be able to read the Cloud Functions code. The code is stored in a bucket like one of the following:

gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip
gcf-v2-sources-<number>-<region>/<function-name>function-source.zip

For example: gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip

Any user with read privileges over the bucket storing the Cloud Function could read the executed code.

Artifact Registry

If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check:

SA

If not specified, by default the App Engine Default Service Account with Editor permissions over the project will be attached to the Cloud Function.

Triggers, URL & Authentication

When a Cloud Function is created the trigger needs to be specified. One common one is HTTPS, this will create an URL where the function can be triggered via web browsing. Other triggers are pub/sub, Storage, Filestore...

The URL format is https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>

When the HTTPS tigger is used, it's also indicated if the caller needs to have IAM authorization to call the Function or if everyone can just call it:

Inside the Cloud Function

The code is downloaded inside the folder /workspace with the same file names as the ones the files have in the Cloud Function and is executed with the user www-data. The disk isn't mounted as read-only.

Enumeration

# List functions
gcloud functions list
gcloud functions describe <func_name> # Check triggers to see how is this function invoked
gcloud functions get-iam-policy <func_name>

# Get logs of previous runs. By default, limits to 10 lines
gcloud functions logs read <func_name> --limit [NUMBER]

# Call a function
curl https://<region>-<project>.cloudfunctions.net/<func_name>
gcloud functions call <func_name> --data='{"message": "Hello World!"}'

# If you know the name of projects you could try to BF cloud functions names

# Get events that could be used to trigger a cloud function
gcloud functions event-types list

# Access function with authentication
curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" \
-d '{}'

Privilege Escalation

In the following page, you can check how to abuse cloud function permissions to escalate privileges:

Unauthenticated Access

Post Exploitation

Persistence

References

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Cloud Build Enum NextGCP - Cloud Run Enum

Last updated 4 months ago