GCP - Cloud Scheduler Enum

Basic Information

Google Cloud Scheduler is a fully managed cron job service that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to automate various tasks like updates or batch processing on a regular schedule.

Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code.

At the moment of this writing these are the actions this service allows to schedule:

• HTTP: Send an HTTP request defining the headers and body of the request.

• Pub/Sub: Send a message into an specific topic

• App Engine HTTP: Send an HTTP request to an app built in App Engine

• Workflows: Call a GCP Workflow.

Service Accounts

A service account is not always required by each scheduler. The Pub/Sub and App Engine HTTP types don't require any service account. The Workflow does require a service account, but it'll just invoke the workflow. Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an OAuth token or an OIDC token to the sent HTTP request.

Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be cloud-platform.

Enumeration

# Get schedulers in a location
gcloud scheduler jobs list --location us-central1

# Get information of an specific scheduler
gcloud scheduler jobs describe --location us-central1 <scheduler-name>

Privilege Escalation