GCP - Cloud Functions Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cloud Functions

Google Cloud Functions are designed to host your code, which gets executed in response to events, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.

Storage

The Cloud Functions code is stored in GCP Storage. Therefore, anyone with read access over buckets in GCP is going to be able to read the Cloud Functions code. The code is stored in a bucket like:

gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip for example: gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip

Any user with write privileges over the bucket storing the Cloud Function could overwrite the executed code.

SA

If not specified, by default the App Engine Default Service Account with Editor permissions over the project will be attached to the Cloud Function.

Triggers, URL & Authentication

When a Cloud Function is created the trigger needs to be specified. One common one is HTTPS, this will create an URL where the function can be triggered via web browsing. Other triggers are pub/sub, Storage, Filestore...

The URL format is https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>

When the HTTPS tigger is used, it's also indicated if the caller needs to have IAM authorization to call the Function or if everyone can just call it:

Inside the Cloud Function

The code is downloaded inside the folder /workspace with the same file names as the ones the files have in the Cloud Function and is executed with the user www-data. The disk isn't mounted as read-only.

Enumeration

# List functions
gcloud functions list
gcloud functions describe <func_name> # Check triggers to see how is this function invoked
gcloud functions get-iam-policy <func_name>

# Get logs of previous runs. By default, limits to 10 lines
gcloud functions logs read <func_name> --limit [NUMBER]

# Call a function
curl https://<region>-<project>.cloudfunctions.net/<func_name>
gcloud functions call <func_name> --data='{"message": "Hello World!"}'

# If you know the name of projects you could try to BF cloud functions names

# Get events that could be used to trigger a cloud function
gcloud functions event-types list

# Access function with authentication
curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" \
-d '{}'

Privilege Escalation

In the following page, you can check how to abuse cloud function permissions to escalate privileges:

pageGCP - Cloudfunctions Privesc

References

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Cloud Build Enum NextGCP - Cloud Run Enum

Last updated 2 months ago