Pivot Through Service Accounts using Dangerous Permissions

In this lab, you’ll simulate the compromise of a low-privilege service account and explore how to abuse dangerous IAM permissions to move laterally and escalate privileges in a GCP environment. You'll also gain an understanding of how to detect service account abuse using Cloud Logging.

We are on a purple team engagement for Gigantic Retail and have have identified an GCP service account key file in an NTFS share. Your mission is to pivot to the cloud and increase our access in GCP, and ultimately help to close down any identified attack paths.

• Basic knowledge of Google Cloud
• Familiarity with the command line
  
  

• Get situational awareness using IAM policy and the testIamPermissions method
• Enumerate and explore resources using the gcloud and gsutil CLI
• Abuse the dangerous implicitDelegation , generateAccessToken and signJwt permissions
• Identify and use GCP HMAC keys to exfiltrate files from Cloud Storage
• Detect service account abuse using Cloud Logging
•  

In real-world cloud breaches, attackers rarely stop at a single compromised identity. In order to achieve their objectives they would look to exploit misconfigured IAM bindings and overly permissive service account roles. This kind of abuse can go undetected when relying solely on project-level IAM reviews, overlooking resource-level permissions that quietly expose high-impact attack paths. It helps to take a purple approach to defense, and start understanding an environment as a threat actor would, using their tradecraft.