hacktricks/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md

# GCP - Buckets: Brute-Force, Privilege Escalation & Enumeration

## Brute-Force

As other clouds, GCP also offers Buckets to its users. These buckets might be  (to list the content, read, write...).

![](<../../.gitbook/assets/image (628).png>)

The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:

* [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute)
* [https://github.com/initstring/cloud\_enum](https://github.com/initstring/cloud\_enum)

## Privilege Escalation

If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy **(the **storage.buckets.setIamPolicy** permission)**, **then anyone can modify the bucket policy and grant himself full access.

### Check Permissions

There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`.

However, if your user (potentially belonging to allUsers or allAuthenticatedUsers") doesn't have permissions to read the iam policy of the bucket (storage.buckets.getIamPolicy), that won't work.

The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update`

### Escalating

With the “gsutil” Google Storage CLI program, we can run the following command to grant “allAuthenticatedUsers” access to the “Storage Admin” role, thus **escalating the privileges we were granted** to the bucket:

```
gsutil iam ch group:allAuthenticatedUsers:admin gs://BUCKET_NAME
```

One of the main attractions to escalating from a LegacyBucketOwner to Storage Admin is the ability to use the “storage.buckets.delete” privilege. In theory, you could **delete the bucket after escalating your privileges, then you could create the bucket in your own account to steal the name**.

## Authenticated Enumeration

Default configurations permit read access to storage. This means that you may **enumerate ALL storage buckets in the project**, including **listing** and **accessing** the contents inside.

This can be a MAJOR vector for privilege escalation, as those buckets can contain secrets.

The following commands will help you explore this vector:

```bash
# List all storage buckets in project
gsutil ls

# Get detailed info on all buckets in project
gsutil ls -L

# List contents of a specific bucket (recursive, so careful!)
gsutil ls -r gs://bucket-name/

# Cat the context of a file without copying it locally
gsutil cat gs://bucket-name/folder/object

# Copy an object from the bucket to your local storage for review
gsutil cp gs://bucket-name/folder/object ~/
```

If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them:

```bash
for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done
```

## References

* [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/)
GitBook: [#2809] update 2021-10-26 14:34:07 +00:00			`# GCP - Buckets: Brute-Force, Privilege Escalation & Enumeration`
GitBook: [#2803] GCP databases 2021-10-25 14:30:32 +00:00
			`## Brute-Force`
GitBook: [#2786] soo slow 2021-10-19 15:58:02 +00:00
			`As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).`

GitBook: [#2809] update 2021-10-26 14:34:07 +00:00			`![](<../../.gitbook/assets/image (628).png>)`

GitBook: [#2786] soo slow 2021-10-19 15:58:02 +00:00			`The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:`

			`* [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute)`
			`* [https://github.com/initstring/cloud\_enum](https://github.com/initstring/cloud\_enum)`

			`## Privilege Escalation`

			`If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to write to their bucket policy (the storage.buckets.setIamPolicy permission), then anyone can modify the bucket policy and grant himself full access.`

			`### Check Permissions`

			There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`.

			`However, if your user (potentially belonging to allUsers or allAuthenticatedUsers") doesn't have permissions to read the iam policy of the bucket (storage.buckets.getIamPolicy), that won't work.`

			The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update`

			`### Escalating`

			`With the “gsutil” Google Storage CLI program, we can run the following command to grant “allAuthenticatedUsers” access to the “Storage Admin” role, thus escalating the privileges we were granted to the bucket:`

			```
			`gsutil iam ch group:allAuthenticatedUsers:admin gs://BUCKET_NAME`
			```

			`One of the main attractions to escalating from a LegacyBucketOwner to Storage Admin is the ability to use the “storage.buckets.delete” privilege. In theory, you could delete the bucket after escalating your privileges, then you could create the bucket in your own account to steal the name.`

GitBook: [#2803] GCP databases 2021-10-25 14:30:32 +00:00			`## Authenticated Enumeration`

			`Default configurations permit read access to storage. This means that you may enumerate ALL storage buckets in the project, including listing and accessing the contents inside.`

			`This can be a MAJOR vector for privilege escalation, as those buckets can contain secrets.`

			`The following commands will help you explore this vector:`

			```bash
			`# List all storage buckets in project`
			`gsutil ls`

			`# Get detailed info on all buckets in project`
			`gsutil ls -L`

			`# List contents of a specific bucket (recursive, so careful!)`
			`gsutil ls -r gs://bucket-name/`

			`# Cat the context of a file without copying it locally`
			`gsutil cat gs://bucket-name/folder/object`

			`# Copy an object from the bucket to your local storage for review`
			`gsutil cp gs://bucket-name/folder/object ~/`
			```

			`If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them:`

			```bash
			`for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done`
			```

GitBook: [#2786] soo slow 2021-10-19 15:58:02 +00:00			`## References`

			`* [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/)`