{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For more information about Cloud Build check:
{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %} gcp-cloud-build-enum.md {% endcontent-ref %}
If you compromise write access over a repository containing a file named cloudbuild.yml
, you could backdoor this file, which specifies the commands that are going to be executed inside a Cloud Build and exfiltrate the secrets, compromise what is done and also compromise the Cloud Build service account.
{% hint style="info" %} Note that GCP has the option to allow administrators to control the execution of build systems from external PRs via "Comment Control". Comment Control is a feature where collaborators/project owners need to comment “/gcbrun” to trigger the build against the PR and using this feature inherently prevents anyone on the internet from triggering your build systems. {% endhint %}
For some related information you could check the page about how to attack Github Actions (similar to this):
{% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %} abusing-github-actions {% endcontent-ref %}
When the trigger is PR because anyone can perform PRs to public repositories it would be very dangerous to just allow the execution of the trigger with any PR. Therefore, by default, the execution will only be automatic for owners and collaborators, and in order to execute the trigger with other users PRs an owner or collaborator must comment /gcbrun
.
{% hint style="danger" %}
Therefore, is this is set to Not required
, an attacker could perform a PR to the branch that will trigger the execution adding the malicious code execution to the cloudbuild.yml
file and compromise the cloudbuild execution (note that cloudbuild will download the code FROM the PR, so it will execute the malicious cloudbuild.yml
).
{% endhint %}
Moreover, it's easy to see if some cloudbuild execution needs to be performed when you send a PR because it appears in Github:
{% hint style="warning" %} Then, even if the cloudbuild is not executed the attacker will be able to see the project name of a GCP project that belongs to the company. {% endhint %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.