GCP Exploit#

Offensive tradecraft against Google Cloud projects. After recovering a user account, service-account key, or OAuth token, the operator’s first move is a posture sweep with Scout Suite or GCPBucketBrute, then targeted IAM-graph traversal with a tool like GCP-IAM-Privilege-Escalation. Authorisation is assumed.

Posture sweep#

Scout Suite is the cross-cloud auditor of choice. Point it at GCP after compromising a user or service-account credential.

# 1. Install the gcloud SDK (https://cloud.google.com/sdk/install)
# 2. Authenticate as the recovered identity
$ gcloud auth login                                    # user account
$ gcloud auth activate-service-account \               # service account
    --key-file=/path/to/key.json

# 3. Run Scout against the target
$ python scout.py gcp --user-account
$ python scout.py gcp --service-account --key-file /path/to/key.json

The output HTML report lists overprivileged identities, public buckets, exposed firewall rules, and weak service-account posture. The operator pivots from there.

Identity scoping#

Organization: organization-id <ORGANIZATION_ID>
Folder:       folder-id       <FOLDER_ID>
Project:      project-id      <PROJECT_ID>

Scout walks down from whichever scope the recovered credential can read; the operator picks the broadest level the credential will resolve.

References#