GCP Exploit#
Offensive tradecraft against Google Cloud projects. After recovering a user account, service-account key, or OAuth token, the operator’s first move is a posture sweep with Scout Suite or GCPBucketBrute, then targeted IAM-graph traversal with a tool like GCP-IAM-Privilege-Escalation. Authorisation is assumed.
Posture sweep#
Scout Suite is the cross-cloud auditor of choice. Point it at GCP after compromising a user or service-account credential.
# 1. Install the gcloud SDK (https://cloud.google.com/sdk/install)
# 2. Authenticate as the recovered identity
$ gcloud auth login # user account
$ gcloud auth activate-service-account \ # service account
--key-file=/path/to/key.json
# 3. Run Scout against the target
$ python scout.py gcp --user-account
$ python scout.py gcp --service-account --key-file /path/to/key.json
The output HTML report lists overprivileged identities, public buckets, exposed firewall rules, and weak service-account posture. The operator pivots from there.
Identity scoping#
Organization: organization-id <ORGANIZATION_ID>
Folder: folder-id <FOLDER_ID>
Project: project-id <PROJECT_ID>
Scout walks down from whichever scope the recovered credential can read; the operator picks the broadest level the credential will resolve.
References#
GCP CLI for the underlying CLI surface.
GCP Defend for the matching defensive view.