Illuminate GCP by Fuzzing IAM Permissions

The challenge revolves around leveraging the testIAMPermission method to identify IAM permissions and situational awareness. Increase access by exfiltrating data from Artifact Registry and identify additional resources!

Your team is tasked with conducting a penetration test of Gigantic Retail Company. During the assessment, one of the penetration testers successfully identified an accidentally leaked GCP service account key and gained a foothold in the client's cloud environment. Your objective is to explore GCP and expand our access further.

• Proficiency in basic Linux command-line operations
• Familiarity with fundamental GCP IAM concepts
• Basic knowledge of scripting in Python and Bash
• Familiarity with basic Docker usage

• IAM permissions enumeration using testIamPermissions
• Enumerate Artifact Registry
• Enumerate Docker images
• Leverage cloud storage naming conventions to access more resources
• Understand how this could have been avoided

In real-world scenarios, you may lack permissions to list IAM policy permissions. In such situations, understanding alternative methods for enumerating permissions in GCP becomes crucial. Here, we leverage the testIAMPermission to brute-force potential permissions, allowing us to move laterally to other GCP services.