Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
A collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team.
https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
Last synced: about 1 month ago
JSON representation
A collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team.
- Host: GitHub
- URL: https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
- Owner: RhinoSecurityLabs
- License: bsd-3-clause
- Created: 2020-04-27T15:31:03.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2024-04-18T16:00:59.000Z (8 months ago)
- Last Synced: 2024-08-02T00:23:32.718Z (4 months ago)
- Language: Python
- Size: 43 KB
- Stars: 333
- Watchers: 9
- Forks: 73
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-cloud-sec - GCP-IAM-Privilege-Escalation - - A collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team. (Other Awesome Lists / Subdomain Takeover)
- awesome-cloud-security - 地址 - IAM-Privilege-Escalation) `由「da Vinci【达文西】」师傅补充,感谢支持` (0x02 工具 :hammer_and_wrench: / 1 云服务工具)
README
# IAM Privilege Escalation in GCP
## Table of Contents
- The `PrivEscScanner` Folder
- Contains a permissions enumerator for all members in a GCP account and an associated privilege escalation scanner that reviews the permissions in search of privilege escalation vulnerabilities.
- First run [enumerate_member_permissions.py](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/PrivEscScanner/enumerate_member_permissions.py) to enumerate all members and permissions and then run [check_for_privesc.py](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/PrivEscScanner/check_for_privesc.py) to check for privilege escalation in the environment.
- The `ExploitScripts` Folder
- Contains exploit scripts for each of the privilege escalation methods outlined in the blog post, as well as a Cloud Function and Docker image for some of the methods that require them.For more information on these privilege escalation methods, how to exploit them, the permissions they require, and more, see the blog posts on our website: [Part 1](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) and [Part 2](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/)
## Current List of GCP IAM Privilege Escalation Methods
1. `cloudbuilds.builds.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/working-as-intendedrce-to-iam-privilege-escalation-in-gcp)
2. `deploymentmanager.deployments.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
3. `iam.roles.update`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.roles.update.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
4. `iam.serviceAccounts.getAccessToken`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getAccessToken.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
5. `iam.serviceAccountKeys.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccountKeys.create.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
6. `iam.serviceAccounts.implicitDelegation`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.implicitDelegation.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
7. `iam.serviceAccounts.signBlob`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signBlob-accessToken.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
8. `iam.serviceAccounts.signJwt`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signJWT.py) / [Blog Post]()
9. `cloudfunctions.functions.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.create-call.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
10. `cloudfunctions.functions.update`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.update.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
11. `compute.instances.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/compute.instances.create.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
12. `run.services.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/run.services.create.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
13. `cloudscheduler.jobs.create`: [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
14. `orgpolicy.policy.set`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/)
15. `storage.hmacKeys.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/)
16. `serviceusage.apiKeys.create`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/serviceusage.apiKeys.create.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/)
17. `serviceusage.apiKeys.list`: [Script](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/serviceusage.apiKeys.list.py) / [Blog Post](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/)