GCP - Cloud Functions Enum
Cloud Functions
Google Cloud Functions are designed to host your code, which gets executed in response to events, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.
Storage
The Cloud Functions code is stored in GCP Storage. Therefore, anyone with read access over buckets in GCP is going to be able to read the Cloud Functions code. The code is stored in a bucket like:
gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip
for example:
gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip
Any user with write privileges over the bucket storing the Cloud Function could overwrite the executed code.
SA
If not specified, by default the App Engine Default Service Account with Editor permissions over the project will be attached to the Cloud Function.
Triggers, URL & Authentication
When a Cloud Function is created the trigger needs to be specified. One common one is HTTPS, this will create an URL where the function can be triggered via web browsing. Other triggers are pub/sub, Storage, Filestore...
The URL format is https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>
When the HTTPS tigger is used, it's also indicated if the caller needs to have IAM authorization to call the Function or if everyone can just call it:
Inside the Cloud Function
The code is downloaded inside the folder /workspace
with the same file names as the ones the files have in the Cloud Function and is executed with the user www-data
.
The disk isn't mounted as read-only.
Enumeration
Privilege Escalation
In the following page, you can check how to abuse cloud function permissions to escalate privileges:
pageGCP - Cloudfunctions PrivescUnauthenticated Access
pageGCP - Cloud Functions Unauthenticated EnumPost Exploitation
pageGCP - Cloud Functions Post ExploitationPersistence
pageGCP - Cloud Functions PersistenceReferences
Last updated