hacktricks/cloud-security/gcp-security/gcp-buckets-enumeration.md

# GCP - Buckets Enumeration

Default configurations permit read access to storage. This means that you may **enumerate ALL storage buckets in the project**, including **listing** and **accessing** the contents inside.

This can be a MAJOR vector for privilege escalation, as those buckets can contain secrets.

The following commands will help you explore this vector:

```bash
# List all storage buckets in project
gsutil ls

# Get detailed info on all buckets in project
gsutil ls -L

# List contents of a specific bucket (recursive, so careful!)
gsutil ls -r gs://bucket-name/

# Cat the context of a file without copying it locally
gsutil cat gs://bucket-name/folder/object

# Copy an object from the bucket to your local storage for review
gsutil cp gs://bucket-name/folder/object ~/
```

If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them:

```bash
for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done
```

### Search Open Buckets

With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_buckets.sh) you can find all the open buckets:

```bash
#!/bin/bash

#############################
# Run this tool to find buckets that are open to the public anywhere
# in your GCP organization.
#
# Enjoy!
#############################

for proj in $(gcloud projects list --format="get(projectId)"); do
    echo "[*] scraping project $proj"
    for bucket in $(gsutil ls -p $proj); do
        echo "    $bucket"
        ACL="$(gsutil iam get $bucket)"

        all_users="$(echo $ACL | grep allUsers)"
        all_auth="$(echo $ACL | grep allAuthenticatedUsers)"

        if [ -z "$all_users" ]
        then
              :
        else
              echo "[!] Open to all users: $bucket"
        fi

        if [ -z "$all_auth" ]
        then
              :
        else
              echo "[!] Open to all authenticated users: $bucket"
        fi
    done

```
GitBook: [#2814] gcp update 2021-10-28 10:44:24 +00:00			`# GCP - Buckets Enumeration`

			`Default configurations permit read access to storage. This means that you may enumerate ALL storage buckets in the project, including listing and accessing the contents inside.`

			`This can be a MAJOR vector for privilege escalation, as those buckets can contain secrets.`

			`The following commands will help you explore this vector:`

			```bash
			`# List all storage buckets in project`
			`gsutil ls`

			`# Get detailed info on all buckets in project`
			`gsutil ls -L`

			`# List contents of a specific bucket (recursive, so careful!)`
			`gsutil ls -r gs://bucket-name/`

			`# Cat the context of a file without copying it locally`
			`gsutil cat gs://bucket-name/folder/object`

			`# Copy an object from the bucket to your local storage for review`
			`gsutil cp gs://bucket-name/folder/object ~/`
			```

			`If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them:`

			```bash
			`for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done`
			```

			`### Search Open Buckets`

			`With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_buckets.sh) you can find all the open buckets:`

			```bash
			`#!/bin/bash`

			`#############################`
			`# Run this tool to find buckets that are open to the public anywhere`
			`# in your GCP organization.`
			`#`
			`# Enjoy!`
			`#############################`

			`for proj in $(gcloud projects list --format="get(projectId)"); do`
			`echo "[*] scraping project $proj"`
			`for bucket in $(gsutil ls -p $proj); do`
			`echo " $bucket"`
			`ACL="$(gsutil iam get $bucket)"`

			`all_users="$(echo $ACL \| grep allUsers)"`
			`all_auth="$(echo $ACL \| grep allAuthenticatedUsers)"`

			`if [ -z "$all_users" ]`
			`then`
			`:`
			`else`
			`echo "[!] Open to all users: $bucket"`
			`fi`

			`if [ -z "$all_auth" ]`
			`then`
			`:`
			`else`
			`echo "[!] Open to all authenticated users: $bucket"`
			`fi`
			`done`

			```