GCPwn & OCInferno: Unleash OpenGraph Cloud Pentesting for Privilege Escalation in GCP + Video

Listen to this Post

Featured Image

Introduction:

Cloud privilege escalation remains a critical blind spot in Google Cloud Platform (GCP) security assessments. Traditional enumeration tools often miss complex permission chains that attackers exploit to move from a compromised service account to full organization access. New open‑source frameworks like GCPwn and OCInferno now map IAM policies, testIamPermissions responses, and resource inheritance into an exploitable graph, revealing single and multi‑step privilege escalation paths that manual reviews would rarely catch.

Learning Objectives:

  • Understand how GCPwn collects IAM bindings and testIamPermissions data across GCP organizations, folders, projects, and buckets.
  • Learn to export enumeration results into an OpenGraph JSON file and visualise privilege escalation edges (including multi‑permission chains).
  • Gain hands‑on experience with installing GCPwn via PyPI or standalone executables, running enumeration modules, and customising privilege escalation rule sets.

You Should Know

  1. Installing GCPwn and OCInferno on Linux / Windows

Both tools are Python‑based and designed for cloud penetration testing. GCPwn is the primary GCP assessment tool; OCInferno focuses on Oracle Cloud Infrastructure (OCI) but shares the OpenGraph concept.

Step‑by‑step installation (Linux/macOS/WSL):

 Option 1: PyPI package (recommended for flexibility)
pip install gcpwn

Option 2: Standalone Linux executable (no Python dependencies)
wget https://github.com/NetSPI/gcpwn/releases/latest/download/gcpwn-linux-amd64
chmod +x gcpwn-linux-amd64
./gcpwn-linux-amd64

For OCInferno (standalone)
git clone https://github.com/NetSPI/OCInferno.git
cd OCInferno
pip install -r requirements.txt

On Windows: Use WSL2 or Python directly in PowerShell:

pip install gcpwn
gcpwn --help

Verification: After installation, test connectivity to GCP by setting up application default credentials:

gcloud auth application-default login
gcpwn

<blockquote>
  list modules
  

This confirms the tool can enumerate IAM policies using your authenticated GCP session.

  1. Enumerating GCP IAM with `testIamPermissions` and Passive Collection

GCPwn’s core enumeration module, enum_all --iam, runs hundreds of `testIamPermissions` calls across all accessible resources. It also passively captures permissions from API responses during other modules.

Step‑by‑step enumeration guide:

 Start GCPwn interactive console
gcpwn

Inside GCPwn shell
use modules/enum_all
set iam true
set output_dir ./gcp_enum_results
run

What happens behind the scenes:

  • The tool discovers all projects, folders, and organizations your identity can reach.
  • For each resource (bucket, compute instance, service account, etc.), it calls `testIamPermissions` with a list of thousands of permissions.
  • Responses (allowed/denied) are stored along with IAM policy bindings from getIamPolicy.
  • Results are saved to CSV, JSON, and optionally Excel if `xlsxwriter` is installed.

Linux command to inspect raw permission data:

cat ./gcp_enum_results/iam_permissions.json | jq '.[] | select(.permission=="iam.serviceAccounts.actAs")'

Windows alternative (PowerShell):

Get-Content .\gcp_enum_results\iam_permissions.json | ConvertFrom-Json | Where-Object { $_.permission -eq "iam.serviceAccounts.actAs" }

This output shows which identities have critical “actAs” permissions – a common precursor to privilege escalation.

  1. Exporting OpenGraph JSON and Visualising Privilege Escalation Paths

After enumeration, GCPwn can export all collected relationships (user→role→resource→inheritance) into an OpenGraph JSON file. The graph includes privilege escalation edges defined in the project’s escalation_edges.json.

Step‑by‑step graph generation:

 From within GCPwn shell after enumeration
use modules/export_graph
set input_dir ./gcp_enum_results
set output_file graph.json
set format opengraph
run

The resulting `graph.json` contains nodes (users, service accounts, roles, resources) and directed edges representing permission inheritance and escalation possibilities.

Visualising with a Python script:

import json
import networkx as nx
import matplotlib.pyplot as plt

with open('graph.json') as f:
data = json.load(f)

G = nx.DiGraph()
for edge in data['edges']:
G.add_edge(edge['source'], edge['target'], label=edge.get('type',''))

Draw privilege escalation paths
pos = nx.spring_layout(G)
nx.draw(G, pos, with_labels=True, node_size=500, font_size=8)
plt.show()

What the graph shows:

  • Single‑permission edges (e.g., `iam.serviceAccountKeys.create` allows a user to create a key and impersonate a service account).
  • Multi‑permission edges (e.g., `compute.instances.update` + `iam.serviceAccounts.actAs` + `compute.instances.setMetadata` allows modifying an instance to run as a high‑privilege service account).
  • Inheritance edges (project inherits permissions from its parent folder or organization).

This visualisation identifies the shortest path from a low‑privileged principal to a high‑value resource (e.g., organisation admin).

4. Customising Privilege Escalation Edges with JSON Definitions

GCPwn reads escalation rules from a JSON file, making it trivial to add your own edges for custom environments or zero‑day logic.

Default location: `~/.gcpwn/escalation_edges.json` or in the tool’s installation directory.

Example custom edge – single permission:

{
"single_permission_edges": [
{
"source_perm": "resourcemanager.projects.setIamPolicy",
"target_perm": "resourcemanager.projects.getIamPolicy",
"description": "Can grant any permission to self via policy update"
}
]
}

Multi‑permission edge example (two required permissions):

{
"multi_permission_edges": [
{
"permissions": ["storage.buckets.update", "storage.buckets.setIamPolicy"],
"description": "Update bucket metadata and then modify IAM to elevate privileges"
}
]
}

How to use:

  1. Edit the JSON file with your own edges.
  2. Re‑run `export_graph` – the new edges will appear automatically.
  3. Fork the GCPwn repository if you want to share your rule set with a team.

Adversarial use‑case: An attacker adds an edge for `cloudkms.cryptoKeys.getIamPolicy` + `cloudkms.cryptoKeys.setIamPolicy` to model how they can escalate from a KMS reader to a KMS admin.

5. Cloud Hardening Mitigations Against Graph‑Discovered Privilege Escalations

Now that you can find escalation paths, here’s how to harden GCP against them.

Step‑by‑step remediation commands (gcloud CLI):

 1. Remove overly broad roles (e.g., roles/editor) from service accounts
gcloud projects remove-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL --role=roles/editor

<ol>
<li>Enforce separation of duties using condition bindings (attribute‑based access control)
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=user:[email protected] --role=roles/compute.instanceAdmin \
--condition="expression=resource.name.contains('prod'),title=prod_only"</p></li>
<li><p>Audit all service account keys and delete unused ones
gcloud iam service-accounts keys list --iam-account=SA_EMAIL
gcloud iam service-accounts keys delete KEY_ID --iam-account=SA_EMAIL</p></li>
<li><p>Enable Audit Logs for all IAM changes to detect graph‑based attacks
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=group:[email protected] --role=roles/logging.logWriter

Windows / PowerShell alternative (using gcloud.cmd):

gcloud projects get-iam-policy PROJECT_ID --format=json | ConvertFrom-Json | 
Where-Object { $_.bindings.role -eq "roles/editor" }

Mitigation strategy post‑analysis:

  • Restrict `iam.serviceAccountKeys.create` to only CI/CD pipelines with short‑lived tokens.
  • Prevent `compute.instances.setMetadata` on instances that run privileged service accounts.
  • Use VPC Service Controls to limit `testIamPermissions` leakage across projects.

6. Quality‑of‑Life Improvements: Tab Completion and Excel Exports

GCPwn now includes tab auto‑complete, better CLI parsing, and optional Excel exports – features that speed up reporting.

Enable optional dependencies:

pip install prettytable xlsxwriter

Generate an Excel report from enumeration:

 Inside GCPwn after running enum_all
from gcpwn.reporting import excel_exporter
excel_exporter.export('gcp_enum_results', 'report.xlsx')

Linux command to quickly search for high‑risk permissions in the Excel file:

libreoffice --headless --convert-to csv report.xlsx --outdir . && grep "serviceAccountKeys.create" .csv

For Windows: Open the `.xlsx` in Excel and use filter on the “Permissions” column.

These features turn raw enumeration data into client‑ready deliverables, saving hours of manual parsing.

  1. Combining GCPwn with OCInferno for Multi‑Cloud Graph Analysis

OCInferno applies the same OpenGraph logic to Oracle Cloud Infrastructure. While GCPwn focuses on GCP, the graph schema is compatible, allowing you to unify findings across clouds.

Export OCI graph:

cd OCInferno
python ocinferno.py --enum-all --output oci_graph.json

Merge with GCP graph using jq (Linux):

jq -s '{nodes: (.[bash].nodes + .[bash].nodes), edges: (.[bash].edges + .[bash].edges)}' gcp_graph.json oci_graph.json > merged_cloud_graph.json

Use case: An organisation running both GCP and OCI can visualise cross‑cloud privilege escalation paths (e.g., compromised OCI user assumes GCP service account via stolen credentials).

Detection tip: Monitor for unusual `testIamPermissions` bursts across cloud providers – both tools generate similar API patterns that can be flagged by cloud threat detection systems.

What Undercode Say

  • Graph‑based enumeration is the future of cloud privilege escalation testing – static IAM reviews miss multi‑step chains that GCPwn’s OpenGraph export reveals in seconds.
  • Attackers will soon adopt these same techniques – red teams now have a blueprint; defenders must proactively map their own IAM graphs and apply least privilege with conditions, not just roles.
  • Open‑source cloud pentesting tools lower the barrier to entry – but also increase risk if misused; organisations should run GCPwn self‑assessments quarterly.
  • Multi‑permission edges (e.g., compute+iam combo) are the new zero‑day – most cloud security tools only alert on single high‑risk permissions, not the combination GCPwn models.
  • Customisability means defenders can model their own attack surface – by forking the escalation JSON, you can simulate what an insider with specific access could do.

Prediction: Within 18 months, major cloud providers will release native “privilege escalation graph” features in their security hubs, directly inspired by projects like GCPwn. However, attacker‑built custom graphs will always outpace vendor tools – making open‑source frameworks essential for any serious cloud security program. Organisations that don’t regularly graph their IAM will suffer preventable breaches through chained permission exploits.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Webbinroot Gcpwn – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky