gcp-cloudfunctions-privesc.md

GCP - Cloudfunctions Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

cloudfunctions

More information about Cloud Functions:

{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-functions-enum.md" %} gcp-cloud-functions-enum.md {% endcontent-ref %}

cloudfunctions.functions.create , cloudfunctions.functions.sourceCodeSet, iam.serviceAccounts.actAs

An attacker with these privileges can create a new Cloud Function with arbitrary (malicious) code and assign it a Service Account. Then, leak the Service Account token from the metadata to escalate privileges to it.
Some privileges to trigger the function might be required.

Exploit scripts for this method can be found here and here and the prebuilt .zip file can be found here.

cloudfunctions.functions.update , cloudfunctions.functions.sourceCodeSet, iam.serviceAccounts.actAs

An attacker with these privileges can modify the code of a Function and even modify the service account attached with the goal of exfiltrating the token.
Some privileges to trigger the function might be required.

The exploit script for this method can be found here.

cloudfunctions.functions.sourceCodeSet

With this permission you can get a signed URL to be able to upload a file to a function bucket (but the code of the function won't be changed, you still need to update it)

{% code overflow="wrap" %}

# Generate the URL
curl -X POST https://cloudfunctions.googleapis.com/v2/projects/{project-id}/locations/{location}/functions:generateUploadUrl \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json" \
-d '{}'

{% endcode %}

Not really sure how useful only this permission is from an attackers perspective, but good to know.

cloudfunctions.functions.setIamPolicy , iam.serviceAccounts.actAs

Give yourself any of the previous .update or .create privileges to escalate.

cloudfunctions.functions.update

Only having cloudfunctions permissions, without iam.serviceAccounts.actAs you won't be able to update the function SO THIS IS NOT A VALID PRIVESC.

Bucket Write Permissions

An attacker with write permissions over the bucket where the Cloud Functions code is stored will be able to modify the code overwriting the function_code.zip and will be able to execute arbitrary code once it's executed.

References

• https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.