Google Groups Privesc

By default in workspace a group can be freely accessed by any member of the organization. Workspace also allow to grant permission to groups (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may abuse that path to escalate privileges.

You potentially need access to the console to join groups that allow to be joined by anyone in the org. Check groups information in https://groups.google.com/all-groups.

Access Groups Mail info

If you managed to compromise a google user session, from https://groups.google.com/all-groups you can see the history of mails sent to the mail groups the user is member of, and you might find credentials or other sensitive data.

GCP <--> GWS Pivoting

Takeout - Download Everything Google Knows about an account

If you have a session inside victims google account you can download everything Google saves about that account from https://takeout.google.com

Vault - Download all the Workspace data of users

If an organization has Google Vault enabled, you might be able to access https://vault.google.com and download all the information.

Contacts download

From https://contacts.google.com you can download all the contacts of the user.

Cloudsearch

In https://cloudsearch.google.com/ you can just search through all the Workspace content (email, drive, sites...) a user has access to. Ideal to quickly find sensitive information.

Google Chat

In https://mail.google.com/chat you can access a Google Chat, and you might find sensitive information in the conversations (if any).

Google Drive Mining

When sharing a document you can specify the people that can access it one by one, share it with your entire company (or with some specific groups) by generating a link.

When sharing a document, in the advance setting you can also allow people to search for this file (by default this is disabled). However, it's important to note that once users views a document, it's searchable by them.

For sake of simplicity, most of the people will generate and share a link instead of adding the people that can access the document one by one.

Some proposed ways to find all the documents:

• Search in internal chat, forums...

• Spider known documents searching for references to other documents. You can do this within an App Script with PaperChaser

Keep Notes

In https://keep.google.com/ you can access the notes of the user, sensitive information might be saved in here.

Modify App Scripts

In https://script.google.com/ you can find the APP Scripts of the user.

Administrate Workspace

In https://admin.google.com/, you might be able to modify the Workspace settings of the whole organization if you have enough permissions.

You can also find emails by searching through all the user's invoices in https://admin.google.com/ac/emaillogsearch

References

• https://www.youtube-nocookie.com/embed/6AsVUS79gLw - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic

• https://www.youtube.com/watch?v=KTVHLolz6cE - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?