gcp-serviceusage-privesc.md

GCP - Serviceusage Privesc

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

serviceusage

The following permissions are useful to create and steal API keys, not this from the docs: An API key is a simple encrypted string that identifies an application without any principal. They are useful for accessing public data anonymously, and are used to associate API requests with your project for quota and billing.

Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.

To learn other permissions and ways to generate API keys check:

{% content-ref url="gcp-apikeys-privesc.md" %} gcp-apikeys-privesc.md {% endcontent-ref %}

serviceusage.apiKeys.create

An undocumented API was found that can be used to create API keys:

{% code overflow="wrap" %}

curl -XPOST "https://apikeys.clients6.google.com/v1/projects/<project-uniq-name>/apiKeys?access_token=$(gcloud auth print-access-token)"

{% endcode %}

serviceusage.apiKeys.list

Another undocumented API was found for listing API keys that have already been created (the API keys appears in the response):

{% code overflow="wrap" %}

curl "https://apikeys.clients6.google.com/v1/projects/<project-uniq-name>/apiKeys?access_token=$(gcloud auth print-access-token)"

{% endcode %}

serviceusage.services.enable , serviceusage.services.use

With these permissions an attacker can enable and use new services in the project. This could allow an attacker to enable service like admin or cloudidentity to try to access Workspace information, or other services to access interesting data.

References

• https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo****

.