I found a GCP service account token…now what?

Google Cloud Platform (GCP) is rapidly growing in popularity and i haven’t seen too many posts on  f**king it up so I’m going to do at least one :-)Google has several ways to do authentication but most likely what you are going to come across shoved into code somewhere or in a dotfiles is a service account json file.It’s going to look similar to this:These service account files are similar to AWS tokens in that it can be difficult to determine what they have access to if you don’t already have console and/or IAM access. However with a little bit of scripting we can brute force at least some of the token’s functionality pretty quickly. The issue being service accounts for something like GCP compute looks the same as one you made to manage your calendar or one of the 100’s of other Google services.You’ll need to install the gcloud tools for you OS. Info here:  https://cloud.google.com/sdk/Once you have the gcloud suite of tools installed you can auth with the json file with the following command:gcloud auth activate-service-account –key-file=KEY_FILEIf they key is invalid you’ll see something like the below:gcloud auth activate-service-account –key-file=21.jsonERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: invalid_grant: Not a valid email or user ID.Otherwise it will look similar to below:gcloud auth activate-service-account –key-file=/Users/CG/Documents/pentest/gcp-weirdaal/gcp.jsonActivated service account credentials for: [python@removed.iam.gserviceaccount.com]you can validate it worked by issuing gcloud auth list command:gcloud auth list                  Credentialed AccountsACTIVE  ACCOUNT*       python@removed.iam.gserviceaccount.comI put together a shell script that runs though a bunch of command to enumerate information. They only you info need to provide is the project name. This can be found in the json file in the project_id  field or by issuing the  gcloud project list command.  Sometimes there are multiple projects associated with an account and you’d need to run the shell script with for each project.The first time you run these api calls you might need to pass a “Y" to the cli to enable it. you can get around this manual shenanigans by doing a:yes | ./gcp_enum.sh This will answer Yes for you each time :-)The script is here: https://gist.github.com/carnal0wnage/757d19520fcd9764b24ebd1d89481541 NCC Group also has two tools you could check out:https://github.com/nccgroup/G-Scoutandhttps://github.com/nccgroup/ScoutSuiteenjoyCG

Link: http://carnal0wnage.attackresearch.com/2019/01/i-found-gcp-service-account-tokennow.html