GCP - IAM, Principals & Org Policies Enum
Service Accounts
For an intro about what is a service account check:
pageGCP - Basic InformationEnumeration
A service account always belongs to a project:
Users & Groups
For an intro about how Users & Groups work in GCP check:
pageGCP - Basic InformationEnumeration
With the permissions serviceusage.services.enable
and serviceusage.services.use
it's possible to enable services in a project and use them.
Note that by default, Workspace users are granted the role Project Creator, giving them access to create new projects. When a user creates a project, he is granted the owner
role over it. So, he could enable these services over the project to be able to enumerate Workspace.
However, notice that it's also needed to have enough permissions in Workspace to be able to call these APIs.
If you can enable the admin
service and if your user has enough privileges in workspace, you could enumerate all groups & users with the following lines.
Even if it says identity groups
, it also returns users without any groups:
In the previous examples the param --labels
is required, so a generic value is used (it's not requires if you used the API directly like PurplePanda does in here.
Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:
IAM
Check this for basic information about IAM.
Default Permissions
From the docs: When an organization resource is created, all users in your domain are granted the Billing Account Creator and Project Creator roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.
These roles grant the permissions:
billing.accounts.create
andresourcemanager.organizations.get
resourcemanager.organizations.get
andresourcemanager.projects.create
Moreover, when a user creates a project, he is granted owner of that project automatically according to the docs. Therefore, by default, a user will be able to create a project and run any service on it (miners? Workspace enumeration? ...)
The highest privilege in a GCP Organization is the Organization Administrator role.
set-iam-policy vs add-iam-policy-binding
In most of the services you will be able to change the permissions over a resource using the method add-iam-policy-binding
or set-iam-policy
. The main difference is that add-iam-policy-binding
adds a new role binding to the existent IAM policy while set-iam-policy
will delete the previously granted permissions and set only the ones indicated in the command.
Enumeration
cloudasset IAM Enumeration
There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.
The permission
cloudasset.assets.searchAllIamPolicies
can request all the iam policies inside a resource.
The permission
cloudasset.assets.analyzeIamPolicy
can request all the iam policies of a principal inside a resource.
The permission
cloudasset.assets.searchAllResources
allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.
The permission
cloudasset.assets.analyzeMove
but be useful to also retrieve policies affecting a resource like a project
I suppose the permission
cloudasset.assets.queryIamPolicy
could also give access to find permissions of principals
testIamPermissions enumeration
If you cannot access IAM information using the previous methods and you are in a Red Team. You could use the tool https://github.com/carlospolop/bf_my_gcp_perms to brute-force your current permissions.
However, note that the service cloudresourcemanager.googleapis.com
needs to be enabled.
Privesc
In the following page you can check how to abuse IAM permissions to escalate privileges:
pageGCP - IAM PrivescUnauthenticated Enum
pageGCP - IAM, Principals & Org Unauthenticated EnumPost Exploitation
pageGCP - IAM Post ExploitationPersistence
If you have high privileges you could:
Create new SAs (or users if in Workspace)
Give principals controlled by yourself more permissions
Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
…
Org Policies
For an intro about what Org Policies are check:
pageGCP - Basic InformationThe IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies restrict how those services can be used or which features are disabled. This helps in order to improve the least privilege of each resource in the GCP environment.
Privesc
In the following page you can check how to abuse org policies permissions to escalate privileges:
pageGCP - Orgpolicy PrivescLast updated