Listen to this Post

Introduction:
Cloud privilege escalation remains a critical blind spot in Google Cloud Platform (GCP) security assessments. Traditional enumeration tools often miss complex permission chains that attackers exploit to move from a compromised service account to full organization access. New open‑source frameworks like GCPwn and OCInferno now map IAM policies, testIamPermissions responses, and resource inheritance into an exploitable graph, revealing single and multi‑step privilege escalation paths that manual reviews would rarely catch.
Learning Objectives:
- Understand how GCPwn collects IAM bindings and testIamPermissions data across GCP organizations, folders, projects, and buckets.
- Learn to export enumeration results into an OpenGraph JSON file and visualise privilege escalation edges (including multi‑permission chains).
- Gain hands‑on experience with installing GCPwn via PyPI or standalone executables, running enumeration modules, and customising privilege escalation rule sets.
You Should Know
- Installing GCPwn and OCInferno on Linux / Windows
Both tools are Python‑based and designed for cloud penetration testing. GCPwn is the primary GCP assessment tool; OCInferno focuses on Oracle Cloud Infrastructure (OCI) but shares the OpenGraph concept.
Step‑by‑step installation (Linux/macOS/WSL):
Option 1: PyPI package (recommended for flexibility) pip install gcpwn Option 2: Standalone Linux executable (no Python dependencies) wget https://github.com/NetSPI/gcpwn/releases/latest/download/gcpwn-linux-amd64 chmod +x gcpwn-linux-amd64 ./gcpwn-linux-amd64 For OCInferno (standalone) git clone https://github.com/NetSPI/OCInferno.git cd OCInferno pip install -r requirements.txt
On Windows: Use WSL2 or Python directly in PowerShell:
pip install gcpwn gcpwn --help
Verification: After installation, test connectivity to GCP by setting up application default credentials:
gcloud auth application-default login gcpwn <blockquote> list modules
This confirms the tool can enumerate IAM policies using your authenticated GCP session.
- Enumerating GCP IAM with `testIamPermissions` and Passive Collection
GCPwn’s core enumeration module, enum_all --iam, runs hundreds of `testIamPermissions` calls across all accessible resources. It also passively captures permissions from API responses during other modules.
Step‑by‑step enumeration guide:
Start GCPwn interactive console gcpwn Inside GCPwn shell use modules/enum_all set iam true set output_dir ./gcp_enum_results run
What happens behind the scenes:
- The tool discovers all projects, folders, and organizations your identity can reach.
- For each resource (bucket, compute instance, service account, etc.), it calls `testIamPermissions` with a list of thousands of permissions.
- Responses (allowed/denied) are stored along with IAM policy bindings from
getIamPolicy. - Results are saved to CSV, JSON, and optionally Excel if `xlsxwriter` is installed.
Linux command to inspect raw permission data:
cat ./gcp_enum_results/iam_permissions.json | jq '.[] | select(.permission=="iam.serviceAccounts.actAs")'
Windows alternative (PowerShell):
Get-Content .\gcp_enum_results\iam_permissions.json | ConvertFrom-Json | Where-Object { $_.permission -eq "iam.serviceAccounts.actAs" }
This output shows which identities have critical “actAs” permissions – a common precursor to privilege escalation.
- Exporting OpenGraph JSON and Visualising Privilege Escalation Paths
After enumeration, GCPwn can export all collected relationships (user→role→resource→inheritance) into an OpenGraph JSON file. The graph includes privilege escalation edges defined in the project’s escalation_edges.json.
Step‑by‑step graph generation:
From within GCPwn shell after enumeration use modules/export_graph set input_dir ./gcp_enum_results set output_file graph.json set format opengraph run
The resulting `graph.json` contains nodes (users, service accounts, roles, resources) and directed edges representing permission inheritance and escalation possibilities.
Visualising with a Python script:
import json
import networkx as nx
import matplotlib.pyplot as plt
with open('graph.json') as f:
data = json.load(f)
G = nx.DiGraph()
for edge in data['edges']:
G.add_edge(edge['source'], edge['target'], label=edge.get('type',''))
Draw privilege escalation paths
pos = nx.spring_layout(G)
nx.draw(G, pos, with_labels=True, node_size=500, font_size=8)
plt.show()
What the graph shows:
- Single‑permission edges (e.g., `iam.serviceAccountKeys.create` allows a user to create a key and impersonate a service account).
- Multi‑permission edges (e.g., `compute.instances.update` + `iam.serviceAccounts.actAs` + `compute.instances.setMetadata` allows modifying an instance to run as a high‑privilege service account).
- Inheritance edges (project inherits permissions from its parent folder or organization).
This visualisation identifies the shortest path from a low‑privileged principal to a high‑value resource (e.g., organisation admin).
4. Customising Privilege Escalation Edges with JSON Definitions
GCPwn reads escalation rules from a JSON file, making it trivial to add your own edges for custom environments or zero‑day logic.
Default location: `~/.gcpwn/escalation_edges.json` or in the tool’s installation directory.
Example custom edge – single permission:
{
"single_permission_edges": [
{
"source_perm": "resourcemanager.projects.setIamPolicy",
"target_perm": "resourcemanager.projects.getIamPolicy",
"description": "Can grant any permission to self via policy update"
}
]
}
Multi‑permission edge example (two required permissions):
{
"multi_permission_edges": [
{
"permissions": ["storage.buckets.update", "storage.buckets.setIamPolicy"],
"description": "Update bucket metadata and then modify IAM to elevate privileges"
}
]
}
How to use:
- Edit the JSON file with your own edges.
- Re‑run `export_graph` – the new edges will appear automatically.
- Fork the GCPwn repository if you want to share your rule set with a team.
Adversarial use‑case: An attacker adds an edge for `cloudkms.cryptoKeys.getIamPolicy` + `cloudkms.cryptoKeys.setIamPolicy` to model how they can escalate from a KMS reader to a KMS admin.
5. Cloud Hardening Mitigations Against Graph‑Discovered Privilege Escalations
Now that you can find escalation paths, here’s how to harden GCP against them.
Step‑by‑step remediation commands (gcloud CLI):
1. Remove overly broad roles (e.g., roles/editor) from service accounts gcloud projects remove-iam-policy-binding PROJECT_ID \ --member=serviceAccount:SA_EMAIL --role=roles/editor <ol> <li>Enforce separation of duties using condition bindings (attribute‑based access control) gcloud projects add-iam-policy-binding PROJECT_ID \ --member=user:[email protected] --role=roles/compute.instanceAdmin \ --condition="expression=resource.name.contains('prod'),title=prod_only"</p></li> <li><p>Audit all service account keys and delete unused ones gcloud iam service-accounts keys list --iam-account=SA_EMAIL gcloud iam service-accounts keys delete KEY_ID --iam-account=SA_EMAIL</p></li> <li><p>Enable Audit Logs for all IAM changes to detect graph‑based attacks gcloud projects add-iam-policy-binding PROJECT_ID \ --member=group:[email protected] --role=roles/logging.logWriter
Windows / PowerShell alternative (using gcloud.cmd):
gcloud projects get-iam-policy PROJECT_ID --format=json | ConvertFrom-Json |
Where-Object { $_.bindings.role -eq "roles/editor" }
Mitigation strategy post‑analysis:
- Restrict `iam.serviceAccountKeys.create` to only CI/CD pipelines with short‑lived tokens.
- Prevent `compute.instances.setMetadata` on instances that run privileged service accounts.
- Use VPC Service Controls to limit `testIamPermissions` leakage across projects.
6. Quality‑of‑Life Improvements: Tab Completion and Excel Exports
GCPwn now includes tab auto‑complete, better CLI parsing, and optional Excel exports – features that speed up reporting.
Enable optional dependencies:
pip install prettytable xlsxwriter
Generate an Excel report from enumeration:
Inside GCPwn after running enum_all
from gcpwn.reporting import excel_exporter
excel_exporter.export('gcp_enum_results', 'report.xlsx')
Linux command to quickly search for high‑risk permissions in the Excel file:
libreoffice --headless --convert-to csv report.xlsx --outdir . && grep "serviceAccountKeys.create" .csv
For Windows: Open the `.xlsx` in Excel and use filter on the “Permissions” column.
These features turn raw enumeration data into client‑ready deliverables, saving hours of manual parsing.
- Combining GCPwn with OCInferno for Multi‑Cloud Graph Analysis
OCInferno applies the same OpenGraph logic to Oracle Cloud Infrastructure. While GCPwn focuses on GCP, the graph schema is compatible, allowing you to unify findings across clouds.
Export OCI graph:
cd OCInferno python ocinferno.py --enum-all --output oci_graph.json
Merge with GCP graph using jq (Linux):
jq -s '{nodes: (.[bash].nodes + .[bash].nodes), edges: (.[bash].edges + .[bash].edges)}' gcp_graph.json oci_graph.json > merged_cloud_graph.json
Use case: An organisation running both GCP and OCI can visualise cross‑cloud privilege escalation paths (e.g., compromised OCI user assumes GCP service account via stolen credentials).
Detection tip: Monitor for unusual `testIamPermissions` bursts across cloud providers – both tools generate similar API patterns that can be flagged by cloud threat detection systems.
What Undercode Say
- Graph‑based enumeration is the future of cloud privilege escalation testing – static IAM reviews miss multi‑step chains that GCPwn’s OpenGraph export reveals in seconds.
- Attackers will soon adopt these same techniques – red teams now have a blueprint; defenders must proactively map their own IAM graphs and apply least privilege with conditions, not just roles.
- Open‑source cloud pentesting tools lower the barrier to entry – but also increase risk if misused; organisations should run GCPwn self‑assessments quarterly.
- Multi‑permission edges (e.g., compute+iam combo) are the new zero‑day – most cloud security tools only alert on single high‑risk permissions, not the combination GCPwn models.
- Customisability means defenders can model their own attack surface – by forking the escalation JSON, you can simulate what an insider with specific access could do.
Prediction: Within 18 months, major cloud providers will release native “privilege escalation graph” features in their security hubs, directly inspired by projects like GCPwn. However, attacker‑built custom graphs will always outpace vendor tools – making open‑source frameworks essential for any serious cloud security program. Organisations that don’t regularly graph their IAM will suffer preventable breaches through chained permission exploits.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Webbinroot Gcpwn – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


