71 lines
2.1 KiB
Markdown
71 lines
2.1 KiB
Markdown
|
# GCP - Buckets Enumeration
|
||
|
|
||
|
Default configurations permit read access to storage. This means that you may **enumerate ALL storage buckets in the project**, including **listing** and **accessing** the contents inside.
|
||
|
|
||
|
This can be a MAJOR vector for privilege escalation, as those buckets can contain secrets.
|
||
|
|
||
|
The following commands will help you explore this vector:
|
||
|
|
||
|
```bash
|
||
|
# List all storage buckets in project
|
||
|
gsutil ls
|
||
|
|
||
|
# Get detailed info on all buckets in project
|
||
|
gsutil ls -L
|
||
|
|
||
|
# List contents of a specific bucket (recursive, so careful!)
|
||
|
gsutil ls -r gs://bucket-name/
|
||
|
|
||
|
# Cat the context of a file without copying it locally
|
||
|
gsutil cat gs://bucket-name/folder/object
|
||
|
|
||
|
# Copy an object from the bucket to your local storage for review
|
||
|
gsutil cp gs://bucket-name/folder/object ~/
|
||
|
```
|
||
|
|
||
|
If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them:
|
||
|
|
||
|
```bash
|
||
|
for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done
|
||
|
```
|
||
|
|
||
|
### Search Open Buckets
|
||
|
|
||
|
With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_buckets.sh) you can find all the open buckets:
|
||
|
|
||
|
```bash
|
||
|
#!/bin/bash
|
||
|
|
||
|
#############################
|
||
|
# Run this tool to find buckets that are open to the public anywhere
|
||
|
# in your GCP organization.
|
||
|
#
|
||
|
# Enjoy!
|
||
|
#############################
|
||
|
|
||
|
for proj in $(gcloud projects list --format="get(projectId)"); do
|
||
|
echo "[*] scraping project $proj"
|
||
|
for bucket in $(gsutil ls -p $proj); do
|
||
|
echo " $bucket"
|
||
|
ACL="$(gsutil iam get $bucket)"
|
||
|
|
||
|
all_users="$(echo $ACL | grep allUsers)"
|
||
|
all_auth="$(echo $ACL | grep allAuthenticatedUsers)"
|
||
|
|
||
|
if [ -z "$all_users" ]
|
||
|
then
|
||
|
:
|
||
|
else
|
||
|
echo "[!] Open to all users: $bucket"
|
||
|
fi
|
||
|
|
||
|
if [ -z "$all_auth" ]
|
||
|
then
|
||
|
:
|
||
|
else
|
||
|
echo "[!] Open to all authenticated users: $bucket"
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
```
|