GCP - IAM, Principals & Org Policies Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Service Accounts

For an intro about what is a service account check:

GCP - Basic Information

Enumeration

A service account always belongs to a project:

gcloud iam service-accounts list --project <project>

Users & Groups

For an intro about how Users & Groups work in GCP check:

GCP - Basic Information

Enumeration

With the permissions serviceusage.services.enable and serviceusage.services.use it's possible to enable services in a project and use them.

Note that by default, Workspace users are granted the role Project Creator, giving them access to create new projects. When a user creates a project, he is granted the owner role over it. So, he could enable these services over the project to be able to enumerate Workspace.

However, notice that it's also needed to have enough permissions in Workspace to be able to call these APIs.

If you can enable the admin service and if your user has enough privileges in workspace, you could enumerate all groups & users with the following lines. Even if it says identity groups, it also returns users without any groups:

# Enable admin
gcloud services enable admin.googleapis.com
gcloud services enable cloudidentity.googleapis.com

# Using admin.googleapis.com
## List all users
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud beta identity groups preview --customer <workspace-id>

# Using cloudidentity.googleapis.com
## List groups of a user (you can list at least the groups you belong to)
gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum

## List Group Members (you can list at least the groups you belong to)
gcloud identity groups memberships list --group-email=<email>
### Make it transitive
gcloud identity groups memberships search-transitive-memberships --group-email=<email>

## Get a graph (if you have enough permissions)
gcloud identity groups memberships get-membership-graph --member-email=<email> --labels=cloudidentity.googleapis.com/groups.discussion_forum

In the previous examples the param --labels is required, so a generic value is used (it's not requires if you used the API directly like PurplePanda does in here.

Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:

IAM

Check this for basic information about IAM.

Default Permissions

From the docs: When an organization resource is created, all users in your domain are granted the Billing Account Creator and Project Creator roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.

These roles grant the permissions:

billing.accounts.create and resourcemanager.organizations.get
resourcemanager.organizations.get and resourcemanager.projects.create

Moreover, when a user creates a project, he is granted owner of that project automatically according to the docs. Therefore, by default, a user will be able to create a project and run any service on it (miners? Workspace enumeration? ...)

The highest privilege in a GCP Organization is the Organization Administrator role.

set-iam-policy vs add-iam-policy-binding

In most of the services you will be able to change the permissions over a resource using the method add-iam-policy-binding or set-iam-policy. The main difference is that add-iam-policy-binding adds a new role binding to the existent IAM policy while set-iam-policy will delete the previously granted permissions and set only the ones indicated in the command.

Enumeration

# Roles
## List roles
gcloud iam roles list --project $PROJECT_ID # List only custom roles
gcloud iam roles list --filter='etag:AA=='

## Get perms and description of role
gcloud iam roles describe roles/container.admin
gcloud iam roles describe --project <proj-name> <role-name>

# Policies
gcloud organizations get-iam-policy <org_id>
gcloud resource-manager folders get-iam-policy <folder-id>
gcloud projects get-iam-policy <project-id>

# MISC
## Testable permissions in resource
gcloud iam list-testable-permissions --filter "NOT apiDisabled: true" <resource>
## Grantable roles to a resource
gcloud iam list-grantable-roles <project URL>

cloudasset IAM Enumeration

There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.

The permission cloudasset.assets.searchAllIamPolicies can request all the iam policies inside a resource.

gcloud asset search-all-iam-policies #By default uses current configured project
gcloud asset search-all-iam-policies --scope folders/1234567
gcloud asset search-all-iam-policies --scope organizations/123456
gcloud asset search-all-iam-policies --scope projects/project-id-123123

The permission cloudasset.assets.analyzeIamPolicy can request all the iam policies of a principal inside a resource.

# Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
gcloud asset analyze-iam-policy --organization=<org-id> \
            --identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --folder=<folder-id> \
            --identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --project=<project-name> \
            --identity='user:email@hacktricks.xyz'

The permission cloudasset.assets.searchAllResources allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.

gcloud asset search-all-resources --scope projects/<proj-name>
gcloud asset search-all-resources --scope folders/1234567
gcloud asset search-all-resources --scope organizations/123456

The permission cloudasset.assets.analyzeMove but be useful to also retrieve policies affecting a resource like a project

gcloud asset analyze-move --project=<proj-name> \
          --destination-organization=609216679593

I suppose the permission cloudasset.assets.queryIamPolicy could also give access to find permissions of principals

# But, when running something like this
gcloud asset query --project=<proj> --statement='SELECT * FROM compute_googleapis_com_Instance'
# I get the error
ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing

testIamPermissions enumeration

If you cannot access IAM information using the previous methods and you are in a Red Team. You could use the tool https://github.com/carlospolop/bf_my_gcp_perms to brute-force your current permissions.

However, note that the service cloudresourcemanager.googleapis.com needs to be enabled.

Privesc

In the following page you can check how to abuse IAM permissions to escalate privileges:

GCP - IAM Privesc

Unauthenticated Enum

GCP - IAM, Principals & Org Unauthenticated Enum

Post Exploitation

GCP - IAM Post Exploitation

Persistence

If you have high privileges you could:

Create new SAs (or users if in Workspace)
Give principals controlled by yourself more permissions
Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
…

Org Policies

For an intro about what Org Policies are check:

GCP - Basic Information

The IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies restrict how those services can be used or which features are disabled. This helps in order to improve the least privilege of each resource in the GCP environment.

gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
gcloud resource-manager org-policies list --folder=FOLDER_ID
gcloud resource-manager org-policies list --project=PROJECT_ID

Privesc

In the following page you can check how to abuse org policies permissions to escalate privileges:

GCP - Orgpolicy Privesc

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Firestore Enum NextGCP - KMS Enum

Last updated 4 months ago