GCP - Cloud Run Enum

Reading time: 5 minutes

Cloud Run

Cloud Run is a serverless managed compute platform that lets you run containers directly on top of Google's scalable infrastructure.

You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the source-based deployment option that builds the container for you.

Google has built Cloud Run to work well together with other services on Google Cloud, so you can build full-featured applications.

Services and jobs

On Cloud Run, your code can either run continuously as a service or as a job. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud.

• Cloud Run services. Used to run code that responds to web requests, or events.
• Cloud Run jobs. Used to run code that performs work (a job) and quits when the work is done.

Cloud Run Service

Google Cloud Run is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.

Relevant details

• By default, the access to the web server is public, but it can also be limited to internal traffic (VPC...)
  Moreover, the authentication to contact the web server can be allowing all or to require authentication via IAM.
• By default, the encryption uses a Google managed key, but a CMEK (Customer Managed Encryption Key) from KMS can also be chosen.
• By default, the service account used is the Compute Engine default one which has Editor access over the project and it has the scope cloud-platform.
• It's possible to define clear-text environment variables for the execution, and even mount cloud secrets or add cloud secrets to environment variables.
• It's also possible to add connections with Cloud SQL and mount a file system.
• The URLs of the services deployed are similar to https://<svc-name>-<random>.a.run.app
• A Run Service can have more than 1 version or revision, and split traffic among several revisions.

Enumeration

# List services
gcloud run services list
gcloud run services list --platform=managed
gcloud run services list --platform=gke

# Get info of a service
gcloud run services describe --region <region> <svc-name>

# Get info of all the services together
gcloud run services list --format=yaml
gcloud run services list --platform=managed --format=json
gcloud run services list --platform=gke --format=json

# Get policy
gcloud run services get-iam-policy --region <region> <svc-name>

# Get revisions
gcloud run revisions list --region <region>
gcloud run revisions describe --region <region> <revision>

# Get domains
gcloud run domain-mappings list
gcloud run domain-mappings describe <name>

# Attempt to trigger a job unauthenticated
curl <url>

# Attempt to trigger a job with your current gcloud authorization
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <url>

Cloud Run Jobs

Cloud Run jobs are be a better fit for containers that run to completion and don't serve requests. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.

Enumeration

gcloud beta run jobs list
gcloud beta run jobs describe --region <region> <job-name>
gcloud beta run jobs get-iam-policy --region <region> <job-name>

Privilege Escalation

In the following page, you can check how to abuse cloud run permissions to escalate privileges:

GCP - Run Privesc

Unauthenticated Access

GCP - Cloud Run Unauthenticated Enum

Post Exploitation

GCP - Cloud Run Post Exploitation

Persistence

GCP - Cloud Run Persistence

References

• https://cloud.google.com/run/docs/overview/what-is-cloud-run