Skip to content

4. Common Use Cases (Bruteforcing 9500 Permissions)

WebbinRoot edited this page Jul 2, 2024 · 1 revision

Common Use Cases

Before diving into the individual module descriptions, this covers some generic use cases. I assume most people will follow one of these workflows when using the tool :)

Enumerate Everything Path

Try to enumerate everything. Good if there is spotty permissions/your able to get some resources.

Step 1: Identify leaked credentials either through email/password, service account keys, or individual OAuth2 tokens.

Step 2: Load the credentials into GCPwn. Note the Authentication wiki demonstrates how to load these into GCPwn.

Step 3: Once loaded in, run creds info to observe that no permissions have been added to your user.

Step 4: Make sure the project is set to something other than 'None'. Note you might need to manually add the project via projects set <project_id> as described in the previous article wiki

Step 5: With your creds loaded and project set, run modules run enum_all --iam and observe the results. See if any resources are found.

Step 6: Run creds info to see what permissions were successfully called during your run

Step 7: Run modules run process_iam_bindings --txt if IAM bindings were identified in enum_all and review the output text file in Gathered Data to see the IAM summary

Step 8: Run modules run analyze_vulns --txt to see if there are any IAM violations identified. This is still a bit in-progress so you can always manually check the txt output from process_iam_bindings

Brute Force Permissions Path

Good if you have permissions that are not already covered by existing modules.

Step 1: Identify leaked credentials either through email/password, service account keys, or individual OAuth2 tokens.

Step 2: Load the credentials into GCPwn. Note the Authentication wiki demonstrates how to load these into GCPwn.

Step 3: Once loaded in, run creds info to observe that no permissions have been added to your user.

Step 4: Make sure the project is set to something other than 'None'. Note you might need to manually add the project via projects set <project_id> as described in the previous article wiki

Step 5: With your creds loaded and project set, run modules run enum_all --iam and observe the results. See if any additional projects are found.

Step 6: Run modules run enum_resources [--projects | --folders | --organizations] --iam --all-permissions. This will brute force ~9500 INDIVIDUAL permissions for the project/folder/organizations (pass in none of those flags to run permissions on all of them).

Step 7: Run creds info and see what individual permissions you identified after the run. Note there is no way to check while the tool is running, but you can always open the tool again as a workaround and just keep running creds info as the other session runs to see what it collects