Links

GCP - Secrets Manager Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Secret Manager

Google Secret Manager is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data.
A secret can have different versions storing different data.
Secrets by default are encrypted using a Google managed key, but it's possible to select a key from KMS to use to encrypt the secret.
Regarding rotation, it's possible to configure messages to be sent to pub-sub every number of days, the code listening to those messages can rotate the secret.
It's possible to configure a day for automatic deletion, when the indicated day is reached, the secret will be automatically deleted.

Enumeration

# First, list the entries
gcloud secrets list
gcloud secrets get-iam-policy <secret_name>
# Then, pull the clear-text of any version of any secret
gcloud secrets versions list <secret_name>
gcloud secrets versions access 1 --secret="<secret_name>"

Privilege Escalation

In the following page you can check how to abuse secretmanager permissions to escalate privileges.

Post Exploitation

Persistence

Rotation misuse

An attacker could update the secret to stop rotations (so it won't be modified), or make rotations much less often (so the secret won't be modified) or to publish the rotation message to a different pub/sub, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: