summaryrefslogtreecommitdiff
path: root/README.md
blob: 6bc411d9418d06ee2864161194031ba600c6e503 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

## SignedJwt-PrivEsc
---

This tool specifically targets the `iam.serviceAccounts.signJwt` permission to generate an Access Token for a target Service Account without needing its private key.

### OverView
---

In GCP, if an identity has the Service Account Token Creator role (or specifically iam.serviceAccounts.signJwt), they can sign a well-formed JWT which can be used to request Access Token for service Accounts. This script works as follows:

   - Constructs an unsigned JWT with the target ServiceAccount as the issuer
   - Calls the `signJwt` method of the IAM API, and passes the constructed JWT as the payload
   - Exchanges the signed JWT for a full OAuth2 Access Token.


### Options
---

```shell
usage: signedjwt-privesc.py [-h] (-t TOKEN | -f TOKEN_FILE | -k KEY_FILE) -s TARGET

Own Accounts with signJwt

options:
  -h, --help            show this help message and exit
  -t, --token TOKEN     Caller's Access Token string
  -f, --token-file TOKEN_FILE
                        Path to file containing Access Token
  -k, --key-file KEY_FILE
                        Path to Service Account JSON key file
  -s, --target-account TARGET   Target Service Account Email
```


### Prerequisites
---
    - Python 3.x
    - The iamcredentials.googleapis.com API must be enabled in the target project.
    - Your caller identity must have iam.serviceAccounts.signJwt permission on the target account.


### Installation
---

```
git clone https://github.com/5epi0l/signedJwt-PrivEsc.git
cd signedJwt-PrivEsc
pip install -r requirements.txt
```

### Usage
---

1. Using a direct Access Token

```shell
python3 signedjwt-privesc.py -t $(gcloud auth print-access-token) -s target-sa@project-id.iam.gserviceaccount.com
```

2. Using a Service Account JSON Key

```shell
python3 signedjwt-privesc.py -k /path/to/key.json -s target-sa@project-id.iam.gserviceaccount.com
```

3. Using a Token File

```shell
python3 signedjwt-privesc.py -f ./token.txt -s target-sa@project-id.iam.gserviceaccount.com
```


## Disclaimer
---

This tool is for authorized security auditing and educational purposes only. Unauthorized access to computer systems is illegal.
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-11 22:32:18 +0000