Skip to content

Latest commit

 

History

History
105 lines (71 loc) · 5.95 KB

File metadata and controls

105 lines (71 loc) · 5.95 KB

GCP - Apikeys Privesc

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Apikeys

The following permissions are useful to create and steal API keys, not this from the docs: An API key is a simple encrypted string that identifies an application without any principal. They are useful for accessing public data anonymously, and are used to associate API requests with your project for quota and billing.

Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.

For more information about API Keys check:

{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %} gcp-api-keys-enum.md {% endcontent-ref %}

For other ways to create API keys check:

{% content-ref url="gcp-serviceusage-privesc.md" %} gcp-serviceusage-privesc.md {% endcontent-ref %}

Brute Force API Key access

As you might not know which APIs are enabled in the project or the restrictions applied to the API key you found, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.

apikeys.keys.create

This permission allows to create an API key:

gcloud services api-keys create
Operation [operations/akmf.p7-[...]9] complete. Result: {
    "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
    "createTime":"2022-01-26T12:23:06.281029Z",
    "etag":"W/\"HOhA[...]==\"",
    "keyString":"AIzaSy[...]oU",
    "name":"projects/5[...]6/locations/global/keys/f707[...]e8",
    "uid":"f707[...]e8",
    "updateTime":"2022-01-26T12:23:06.378442Z"
}

You can find a script to automate the creation, exploit and cleaning of a vuln environment here.

{% hint style="danger" %} Note that by default users have permissions to create new projects adn they are granted Owner role over the new project. So a user could create a project and an API key inside this project. {% endhint %}

apikeys.keys.getKeyString , apikeys.keys.list

These permissions allows list and get all the apiKeys and get the Key:

for  key  in  $(gcloud services api-keys list --uri); do
	gcloud services api-keys get-key-string "$key"
done

You can find a script to automate the creation, exploit and cleaning of a vuln environment here.

apikeys.keys.undelete , apikeys.keys.list

These permissions allow you to list and regenerate deleted api keys. The API key is given in the output after the undelete is done:

gcloud services api-keys list --show-deleted
gcloud services api-keys undelete <key-uid>

Create Internal OAuth Application to phish other workers

Check the following page to learn how to do this, although this action belongs to the service clientauthconfig according to the docs:

{% content-ref url="../../workspace-security/gws-google-platforms-phishing/" %} gws-google-platforms-phishing {% endcontent-ref %}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}