DEV Community

Bruno
Bruno

Posted on

Some handy notes for GCP pentesting

Hey folks!
Here's some notes that I use when validating some GCP service accounts and looking for SSRFs.

How to authenticate in a service account using the GCP CLI

gcloud auth activate-service-account 1234567-compute@developer.gserviceaccount.com --key-file=pathtofile.json --project=project_name
Enter fullscreen mode Exit fullscreen mode

The e-mail address you will copy from the json file, also the key file you will point to where the file it's saved, and the project name you also can get in the file.

List of some commands

#List SSL certificates 
gcloud compute ssl-certificates list
#List compute engine image disks
gcloud compute images list
#List compute engine instances
gcloud compute instances list
#List buckets
gcloud storage ls
#List buckets using gsutil
gsutil ls
#List containers
gcloud container images list
#List clusters
gcloud container clusters list
#List firewall rules
gcloud compute firewall-rules list
Enter fullscreen mode Exit fullscreen mode

Achieving SSRFs in Axios

When attempting to achieve SSRF in a GCP environment, it's mandatory to have a 'Metada-Flavor: Google' header to your request.

In Axios, you can add headers to your request by default, you just need to create an object in the request body and it's done.

Axios Docs

Some usefull links and tools

GCP Pentesting - Hacktricks

GCP Services - Hacktricks

Awesome GCP Pentesting

Image of AssemblyAI tool

Transforming Interviews into Publishable Stories with AssemblyAI

Insightview is a modern web application that streamlines the interview workflow for journalists. By leveraging AssemblyAI's LeMUR and Universal-2 technology, it transforms raw interview recordings into structured, actionable content, dramatically reducing the time from recording to publication.

Key Features:
🎥 Audio/video file upload with real-time preview
🗣️ Advanced transcription with speaker identification
⭐ Automatic highlight extraction of key moments
✍️ AI-powered article draft generation
📤 Export interview's subtitles in VTT format

Read full post

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay