GCP - Secrets Manager Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Secret Manager

Google Secret Manager is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data.

A secret can have different versions storing different data.

Secrets by default are encrypted using a Google managed key, but it's possible to select a key from KMS to use to encrypt the secret.

Regarding rotation, it's possible to configure messages to be sent to pub-sub every number of days, the code listening to those messages can rotate the secret.

It's possible to configure a day for automatic deletion, when the indicated day is reached, the secret will be automatically deleted.

Enumeration

# First, list the entries
gcloud secrets list
gcloud secrets get-iam-policy <secret_name>

# Then, pull the clear-text of any version of any secret
gcloud secrets versions list <secret_name>
gcloud secrets versions access 1 --secret="<secret_name>"

Privilege Escalation

In the following page you can check how to abuse secretmanager permissions to escalate privileges.

pageGCP - Secretmanager Privesc

Post Exploitation

pageGCP - Secretmanager Post Exploitation

Persistence

pageGCP - Secret Manager Persistence

Rotation misuse

An attacker could update the secret to stop rotations (so it won't be modified), or make rotations much less often (so the secret won't be modified) or to publish the rotation message to a different pub/sub, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Pub/Sub Enum NextGCP - Security Enum

Last updated 2 months ago