diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md index 6eeec28ccc..45292fe588 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md @@ -51,6 +51,7 @@ gsutil hmac create # Configure gsutil to use it gsutil config -a +gcloud config set pass_credentials_to_gsutil false # Use it gsutil ls gs://[BUCKET_NAME] diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md index a96e2ab15f..020e77f63f 100644 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md +++ b/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md @@ -52,7 +52,7 @@ By default objects are **encrypted using Google managed keys**, but you could al ### Public Access -It's possible to give **external users** (logged in GCP or not) **access to buckets content**. \ +It's possible to give **external users** (logged in GCP or not) **access to buckets content**.\ By default, when a bucket is created, it will have **disabled the option to expose publicly** the bucket, but with enough permissions the can be changed. The **format of an URL** to access a bucket is **`https://storage.googleapis.com/` or `https://.storage.googleapis.com`** (both are valid). @@ -101,6 +101,10 @@ curl -H "Authorization: Bearer $TOKEN" "https://storage.googleapis.com/storage/v # Enumerate HMAC keys gsutil hmac list + +# Get permissions +gcloud storage buckets get-iam-policy gs://bucket-name/ +gcloud storage objects get-iam-policy gs://bucket-name/folder/object ``` If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them: