GCP - Pub/Sub Enum

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Pub/Sub

Google Cloud Pub/Sub is described as a service facilitating message exchange between independent applications. The core components include topics, to which applications can subscribe. Subscribed applications have the capability to send and receive messages. Each message comprises the actual content along with associated metadata.

The topic is the queue where messages are going to be sent, while the subscriptions are the objects users are going to use to access messages in the topics. There can be more than 1 subscription per topic and there are 4 types of subscriptions:

  • Pull: The user(s) of this subscription needs to pull for messages.
  • Push: An URL endpoint is indicated and messages will be sent immediately to it.
  • Big query table: Like push but setting the messages inside a Big query table.
  • Cloud Storage: Deliver messages directly to an existing bucket.

By default a subscription expires after 31 days, although it can be set to never expire.

By default, a message is retained for 7 days, but this time can be increased up to 31 days. Also, if it's not ACKed in 10s it goes back to the queue. It can also be set that ACKed messages should continue to be stored.

A topic is by default encrypted using a Google managed encryption key. But a CMEK (Customer Managed Encryption Key) from KMS can also be selected.

Dead letter: Subscriptions may configure a maximum number of delivery attempts. When a message cannot be delivered, it is republished to the specified dead letter topic.

Snapshots & Schemas

A snapshot is a feature that captures the state of a subscription at a specific point in time. It is essentially a consistent backup of the unacknowledged messages in a subscription. By creating a snapshot, you preserve the message acknowledgment state of the subscription, allowing you to resume message consumption from the point the snapshot was taken, even after the original messages would have been otherwise deleted.
If you are very lucky a snapshot could contain old sensitive information from when the snapshot was taken.

When creating a topic, you can indicate that the topic messages must follow a schema.

Enumeration

bash
# Get a list of topics in the project
gcloud pubsub topics list
gcloud pubsub topics describe <topic>
gcloud pubsub topics list-subscriptions <topic>
gcloud pubsub topics get-iam-policy <topic>

# Get a list of subscriptions across all topics
gcloud pubsub subscriptions list
gcloud pubsub subscriptions describe <subscription>
gcloud pubsub subscriptions get-iam-policy <subscription>

# Get list of schemas
gcloud pubsub schemas list
gcloud pubsub schemas describe <schema>
gcloud pubsub schemas list-revisions <schema>

# Get list of snapshots
gcloud pubsub snapshots list
gcloud pubsub snapshots describe <snapshot>

However, you may have better results asking for a larger set of data, including older messages. This has some prerequisites and could impact applications, so make sure you really know what you're doing.

Privilege Escalation & Post Exploitation

GCP - Pub/Sub Post Exploitation

Pub/Sub Lite

Pub/Sub Lite is a messaging service with zonal storage. Pub/Sub Lite costs a fraction of Pub/Sub and is meant for high volume streaming (up to 10 million messages per second) pipelines and event-driven system where low cost is the primary consideration.

In PubSub Lite there are topics and subscriptions, there aren't snapshots and schemas and there are:

  • Reservations: Pub/Sub Lite Reservations is a feature that allows users to reserve capacity in a specific region for their message streams.
  • Operations: Refers to the actions and tasks involved in managing and administering Pub/Sub Lite.

Enumeration

bash
# lite-topics
gcloud pubsub lite-topics list
gcloud pubsub lite-topics describe <topic>
gcloud pubsub lite-topics list-subscriptions <topic>

# lite-subscriptions
gcloud pubsub lite-subscriptions list
gcloud pubsub lite-subscriptions describe <subscription>

# lite-reservations
gcloud pubsub lite-reservations list
gcloud pubsub lite-reservations describe <topic>
gcloud pubsub lite-reservations list-topics <topic>

# lite-operations
gcloud pubsub lite-operations list
gcloud pubsub lite-operations describe <topic>

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks