Open danthegoodman1 opened 4 years ago
Yup this is a good call out. Believe it or not cloudbuild is actually a new requirement. The projects I tested on didn't have cloud build enabled, but yesterday the error started getting thrown. I think it may also lead to a second privilege escalation that's worth taking a look at, since in the build steps of cloudbuild you have access to the cloud build google managed service account, which has elevated permissions. We covered this in our bsides talk https://youtu.be/z5hPU3g2aZ8?t=1319
Yeah, there are also a bunch of other priv. esc. techniques that can also be used for lateral movement. Check this list of them: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
I've tested using their scripts with the tokens pulled from gcploit's sqlite3 DB and it works well. I might make some PR's soon adding some of these in!
It would be nice if gcploit got support for fetching google managed service account creds. Maybe I'll add it as a wish to the README
Function deployments require the cloud build api to be enabled. If possible, part of the steps in actas should be to make sure the api is enabled. Additionally with Dataproc, if possible, should try to enable the dataproc api.
I may be able to dig in and understand the codebase to make a PR later on but wanted to suggest it regardless!