GCP - Storage Post Exploitation

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Cloud Storage

For more information about CLoud Storage check this page:

GCP - Storage Enum

Give Public Access

It’s possible to give external users (logged in GCP or not) access to buckets content. However, by default bucket will have disabled the option to expose publicly a bucket:

# Disable public prevention
gcloud storage buckets update gs://BUCKET_NAME --no-public-access-prevention

# Make all objects in a bucket public
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
## I don't think you can make specific objects public just with IAM

# Make a bucket or object public (via ACL)
gcloud storage buckets update gs://BUCKET_NAME --add-acl-grant=entity=AllUsers,role=READER
gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER

If you try to give ACLs to a bucket with disabled ACLs you will find this error: ERROR: HTTPError 400: Cannot use ACL API to update bucket policy when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access

To access open buckets via browser, access the URL https://<bucket_name>.storage.googleapis.com/ or https://<bucket_name>.storage.googleapis.com/<object_name>

storage.objects.delete (storage.objects.get)

To delete an object:

gcloud storage rm gs://<BUCKET_NAME>/<OBJECT_NAME> --project=<PROJECT_ID>

storage.buckets.delete, storage.objects.delete & storage.objects.list

To delete a bucket:

gcloud storage rm -r gs://<BUCKET_NAME>

Deactivate HMAC Keys

The storage.hmacKeys.update permission allows disabling HMAC keys, and the storage.hmacKeys.delete permission allows an identity to delete HMAC keys associated with service accounts in Cloud Storage.

# Deactivate
gcloud storage hmac update <ACCESS_ID> --deactivate

# Delete
gcloud storage hmac delete <ACCESS_ID>

storage.buckets.setIpFilter & storage.buckets.update

The storage.buckets.setIpFilter permission, together with the storage.buckets.update permission, allows an identity to configure IP address filters on a Cloud Storage bucket, specifying which IP ranges or addresses are allowed to access the bucket’s resources.

To completely clear the IP filter, the following command can be used:

gcloud storage buckets update gs://<BUCKET_NAME> --project=<PROJECT_ID>

To change the filtered IPs, the following command can be used:

gcloud storage buckets update gs://<BUCKET_NAME> \
  --ip-filter-file=ip-filter.json \
  --project=<PROJECT_ID>

The JSON file represents the filter itself, something like:

{
  "mode": "Enabled",
  "publicNetworkSource": {
    "allowedIpCidrRanges": ["<IP>/<MASK>"]
  },
  "allowCrossOrgVpcs": false,
  "allowAllServiceAgentAccess": false
}

storage.buckets.restore

Restore a bucket using:

gcloud storage restore gs://<BUCKET_NAME>#<GENERATION> \
  --project=<PROJECT_ID>

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks