Google Cloud Functions GCF Enumeration

Description

Google Cloud Function code gets stored in a Google Cloud Storage bucket. Although we currently don't know the exact bucket name, it's worth noting that GCP uses a predictable naming format for Cloud Function buckets! The bucket naming format is gcf-sources-BUILD_NUMBER-REGION

Format

1) gcf-sources : A hardcoded value

2) 212055223570 : The build number (included above with the buildName key)

3) us-central1: The region

Commands

Enumerate functions via the GCP API

curl -H "Authorization: Bearer $ACCESS_TOKEN" \
"https://cloudfunctions.googleapis.com/v1/projects/PROJECT_NAME/locations/-/functions"

Set bucket name as a variable

BUCKET_NAME="gcf-sources-212055223570-us-central1" (Example)

Make a request to list the bucket contents

curl -X GET -H "Authorization: Bearer $ACCESS_TOKEN" "https://storage.googleapis.com/storage/v1/b/$BUCKET_NAME/o"

We can now exfiltrate the source code and inspect it! Using Google's Storage API we download the zip file (example):

FILE_URL="https://www.googleapis.com/download/storage/v1/b/gcf-sources-212055223570-us-central1/o/function-1-8678e4fb-cf43-4d97-b877-6512729bdba4%2Fversion-2%2Ffunction-source.zip?generation=1708197786687849&alt=media"

Download the file with GCP authentication

curl -o function-source.zip -H "Authorization: Bearer $ACCESS_TOKEN" "$FILE_URL"

Unzip the function file to inspect the source code for credentials/secrets/etc.

unzip function-source.zip

PreviousFuzzing IAM Permissions using the "testIAMPermissions" feature NextIAM Policy Enumeration

Last updated 4 months ago

hashtagDescription

hashtagGoogle Cloud Function code gets stored in a Google Cloud Storage bucket. Although we currently don't know the exact bucket name, it's worth noting that GCP uses a predictable naming format for Cloud Function buckets! The bucket naming format is gcf-sources-BUILD_NUMBER-REGION

hashtagFormat

hashtag1) gcf-sources : A hardcoded value

hashtag2) 212055223570 : The build number (included above with the buildName key)

hashtag3) us-central1: The region

hashtagCommands

hashtagEnumerate functions via the GCP API

hashtagSet bucket name as a variable

hashtagMake a request to list the bucket contents

hashtagWe can now exfiltrate the source code and inspect it! Using Google's Storage API we download the zip file (example):

hashtagDownload the file with GCP authentication

hashtagUnzip the function file to inspect the source code for credentials/secrets/etc.

Description

Google Cloud Function code gets stored in a Google Cloud Storage bucket. Although we currently don't know the exact bucket name, it's worth noting that GCP uses a predictable naming format for Cloud Function buckets! The bucket naming format is gcf-sources-BUILD_NUMBER-REGION

Format

1) gcf-sources : A hardcoded value

2) 212055223570 : The build number (included above with the buildName key)

3) us-central1: The region

Commands

Enumerate functions via the GCP API

Set bucket name as a variable

Make a request to list the bucket contents

We can now exfiltrate the source code and inspect it! Using Google's Storage API we download the zip file (example):

Download the file with GCP authentication

Unzip the function file to inspect the source code for credentials/secrets/etc.