Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
By default in workspace a group can be freely accessed by any member of the organization. Workspace also allow to grant permission to groups (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may abuse that path to escalate privileges.
You potentially need access to the console to join groups that allow to be joined by anyone in the org. Check groups information in https://groups.google.com/all-groups.
If you managed to compromise a google user session, from https://groups.google.com/all-groups you can see the history of mails sent to the mail groups the user is member of, and you might find credentials or other sensitive data.
If you have a session inside victims google account you can download everything Google saves about that account from https://takeout.google.com
If an organization has Google Vault enabled, you might be able to access https://vault.google.com and download all the information.
From https://contacts.google.com you can download all the contacts of the user.
In https://cloudsearch.google.com/ you can just search through all the Workspace content (email, drive, sites...) a user has access to. Ideal to quickly find sensitive information.
In https://mail.google.com/chat you can access a Google Chat, and you might find sensitive information in the conversations (if any).
When sharing a document you can specify the people that can access it one by one, share it with your entire company (or with some specific groups) by generating a link.
When sharing a document, in the advance setting you can also allow people to search for this file (by default this is disabled). However, it's important to note that once users views a document, it's searchable by them.
For sake of simplicity, most of the people will generate and share a link instead of adding the people that can access the document one by one.
Some proposed ways to find all the documents:
Search in internal chat, forums...
Spider known documents searching for references to other documents. You can do this within an App Script with PaperChaser
In https://keep.google.com/ you can access the notes of the user, sensitive information might be saved in here.
In https://script.google.com/ you can find the APP Scripts of the user.
In https://admin.google.com/, you might be able to modify the Workspace settings of the whole organization if you have enough permissions.
You can also find emails by searching through all the user's invoices in https://admin.google.com/ac/emaillogsearch
https://www.youtube-nocookie.com/embed/6AsVUS79gLw - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
https://www.youtube.com/watch?v=KTVHLolz6cE - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
