Skip to content

Commit

Permalink
GITBOOK-681: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Sep 15, 2024
1 parent d3fc5ae commit 0b4c337
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions ...uthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,31 @@ ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal supp
```
{% endcode %}

A faster way to enumerate Service Accounts in know projects is just to try to access to the URL: `https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email>`\
For examlpe: `https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com`

If the response is a 403, it means that the SA exists. But if the answer is a 404 it means that it doesn't exist:

```json
// Exists
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"status": "PERMISSION_DENIED"
}
}

// Doesn't exist
{
"error": {
"code": 404,
"message": "Unknown service account",
"status": "NOT_FOUND"
}
}
```

Note how when the user email was valid the error message indicated that they type isn't, so we managed to discover that the email support@hacktricks.xyz exists without granting it any privileges.

You can so the **same with Service Accounts** using the type **`user:`** instead of **`serviceAccount:`**:
Expand Down

0 comments on commit 0b4c337

Please sign in to comment.