HackTricks CloudGWS - Post Exploitation
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Google Groups Privesc
By default in workspace a group can be freely accessed by any member of the organization.
Workspace also allow to grant permission to groups (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may abuse that path to escalate privileges.
You potentially need access to the console to join groups that allow to be joined by anyone in the org. Check groups information in https://groups.google.com/all-groups.
Access Groups Mail info
If you managed to compromise a google user session, from https://groups.google.com/all-groups you can see the history of mails sent to the mail groups the user is member of, and you might find credentials or other sensitive data.
GCP <--> GWS Pivoting
Takeout - Download Everything Google Knows about an account
If you have a session inside victims google account you can download everything Google saves about that account from https://takeout.google.com
Vault - Download all the Workspace data of users
If an organization has Google Vault enabled, you might be able to access https://vault.google.com and download all the information.
Contacts download
From https://contacts.google.com you can download all the contacts of the user.
Cloudsearch
In https://cloudsearch.google.com/ you can just search through all the Workspace content (email, drive, sites...) a user has access to. Ideal to quickly find sensitive information.
Google Chat
In https://mail.google.com/chat you can access a Google Chat, and you might find sensitive information in the conversations (if any).
Google Drive Mining
When sharing a document you can specify the people that can access it one by one, share it with your entire company (or with some specific groups) by generating a link.
When sharing a document, in the advance setting you can also allow people to search for this file (by default this is disabled). However, it's important to note that once users views a document, it's searchable by them.
For sake of simplicity, most of the people will generate and share a link instead of adding the people that can access the document one by one.
Some proposed ways to find all the documents:
- Search in internal chat, forums...
- Spider known documents searching for references to other documents. You can do this within an App Script with PaperChaser
Keep Notes
In https://keep.google.com/ you can access the notes of the user, sensitive information might be saved in here.
Modify App Scripts
In https://script.google.com/ you can find the APP Scripts of the user.
Administrate Workspace
In https://admin.google.com/, you might be able to modify the Workspace settings of the whole organization if you have enough permissions.
You can also find emails by searching through all the user's invoices in https://admin.google.com/ac/emaillogsearch
References
- https://www.youtube-nocookie.com/embed/6AsVUS79gLw - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
- https://www.youtube.com/watch?v=KTVHLolz6cE - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.