summaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md77
1 files changed, 77 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6bc411d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,77 @@
+## SignedJwt-PrivEsc
+---
+
+This tool specifically targets the `iam.serviceAccounts.signJwt` permission to generate an Access Token for a target Service Account without needing its private key.
+
+### OverView
+---
+
+In GCP, if an identity has the Service Account Token Creator role (or specifically iam.serviceAccounts.signJwt), they can sign a well-formed JWT which can be used to request Access Token for service Accounts. This script works as follows:
+
+ - Constructs an unsigned JWT with the target ServiceAccount as the issuer
+ - Calls the `signJwt` method of the IAM API, and passes the constructed JWT as the payload
+ - Exchanges the signed JWT for a full OAuth2 Access Token.
+
+
+### Options
+---
+
+```shell
+usage: signedjwt-privesc.py [-h] (-t TOKEN | -f TOKEN_FILE | -k KEY_FILE) -s TARGET
+
+Own Accounts with signJwt
+
+options:
+ -h, --help show this help message and exit
+ -t, --token TOKEN Caller's Access Token string
+ -f, --token-file TOKEN_FILE
+ Path to file containing Access Token
+ -k, --key-file KEY_FILE
+ Path to Service Account JSON key file
+ -s, --target-account TARGET Target Service Account Email
+```
+
+
+### Prerequisites
+---
+ - Python 3.x
+ - The iamcredentials.googleapis.com API must be enabled in the target project.
+ - Your caller identity must have iam.serviceAccounts.signJwt permission on the target account.
+
+
+### Installation
+---
+
+```
+git clone https://github.com/5epi0l/signedJwt-PrivEsc.git
+cd signedJwt-PrivEsc
+pip install -r requirements.txt
+```
+
+### Usage
+---
+
+1. Using a direct Access Token
+
+```shell
+python3 signedjwt-privesc.py -t $(gcloud auth print-access-token) -s target-sa@project-id.iam.gserviceaccount.com
+```
+
+2. Using a Service Account JSON Key
+
+```shell
+python3 signedjwt-privesc.py -k /path/to/key.json -s target-sa@project-id.iam.gserviceaccount.com
+```
+
+3. Using a Token File
+
+```shell
+python3 signedjwt-privesc.py -f ./token.txt -s target-sa@project-id.iam.gserviceaccount.com
+```
+
+
+## Disclaimer
+---
+
+This tool is for authorized security auditing and educational purposes only. Unauthorized access to computer systems is illegal.
+
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-11 22:30:55 +0000