I found a GCP service account token…now what?
Google Cloud Platform (GCP) is rapidly growing in popularity and i haven’t seen too many posts on f**king it up so I’m going to do at least one 🙂
Google has several ways to do authentication but most likely what you are going to come across shoved into code somewhere or in a dotfiles is a service account json file.
It’s going to look similar to this:
These service account files are similar to AWS tokens in that it can be difficult to determine what they have access to if you don’t already have console and/or IAM access. However with a little bit of scripting we can brute force at least some of the token’s functionality pretty quickly. The issue being service accounts for something like GCP compute looks the same as one you made to manage your calendar or one of the 100’s of other Google services.
You’ll need to install the gcloud tools for you OS. Info here: https://cloud.google.com/sdk/
Once you have the gcloud suite of tools installed you can auth with the json file with the following command:
gcloud auth activate-service-account –key-file=KEY_FILE
If they key is invalid you’ll see something like the below:
gcloud auth activate-service-account –key-file=21.json
ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: invalid_grant: Not a valid email or user ID.
Otherwise it will look similar to below:
gcloud auth activate-service-account –key-file=/Users/CG/Documents/pentest/gcp-weirdaal/gcp.json
Activated service account credentials for: [[email protected]]
you can validate it worked by issuing gcloud auth list command:
gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
https://github.com/nccgroup/G-Scout
and
https://github.com/nccgroup/ScoutSuite
enjoy
CG
*** This is a Security Bloggers Network syndicated blog from Carnal0wnage & Attack Research Blog authored by CG. Read the original post at: http://carnal0wnage.attackresearch.com/2019/01/i-found-gcp-service-account-tokennow.html