GCP (Google Cloud Platform) Pentesting

Last modified: 2024-12-18

Install Google Cloud CLI

Before pentesting GCP, we need to install a dedicated CLI tool. See the installation guide for details.
After installed, login with your Google credential:

gcloud auth login

Google Storage

Google Storage allows users to store static files in the URL: https://storage.googleapis.com/<bucket-name>/.
We can enumerate the target storage as below:

# Enumerate accessible directories/files from outside.
fuzz -u https://storage.googleapis.com/<bucket-name>/FUZZ -w wordlist.txt -fc 403

# Display directories/files
gsutil ls gs://<bucket-name>/example/

# Download a file
gsutil cp gs://<bucket-name>/example.txt

# Get information for the bucket
gsutil stat gs://<bucket-name>/index.html

References

https://pwnedlabs.io/labs/reveal-hidden-files-in-google-storage

Others

GCP (Google Cloud Platform) Pentesting

Install Google Cloud CLI

Google Storage

References

ON THIS PAGE