diff options
| author | subh <subh@example.com> | 2026-02-13 01:02:26 +0530 |
|---|---|---|
| committer | subh <subh@example.com> | 2026-02-13 01:02:26 +0530 |
| commit | c571d28fe006caefaec1d846cd5b78391a37f6d1 (patch) | |
| tree | 3c9e5ae838c546b68fcf241ddf92537b012936f7 | |
| parent | d7485dc380f7f2a6709b9faa18d02604be362e9b (diff) | |
Added README
| -rw-r--r-- | README.md | 77 | ||||
| -rw-r--r-- | signedblob-privesc.py | 2 |
2 files changed, 78 insertions, 1 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..1360d7e --- /dev/null +++ b/README.md @@ -0,0 +1,77 @@ +## SignedBlob-PrivEsc +--- + +This tool specifically targets the `iam.serviceAccounts.signBlob` permission to generate an Access Token for a target Service Account without needing its private key. + +### OverView +--- + +In GCP, if an identity has the Service Account Token Creator role (or specifically iam.serviceAccounts.signBlob), they can sign arbitrary payloads which can be used to request Access Token for service Accounts. This script works as follows: + + - Constructs an unsigned JWT with the target ServiceAccount as the issuer + - Calls the `signBlob` method of the IAM API, and passes the constructed JWT as the payload + - Exchanges the signed JWT for a full OAuth2 Access Token. + + +### Options +--- + +```shell +usage: signedblob-privesc.py [-h] (-t TOKEN | -f TOKEN_FILE | -k KEY_FILE) -s TARGET + +Own Accounts with signBlob + +options: + -h, --help show this help message and exit + -t, --token TOKEN Caller's Access Token string + -f, --token-file TOKEN_FILE + Path to file containing Access Token + -k, --key-file KEY_FILE + Path to Service Account JSON key file + -s, --target TARGET Target Service Account Email +``` + + +### Prerequisites +--- + - Python 3.x + - The `iamcredentials.googleapis.com` API must be enabled in the target project. + - Your caller identity must have `iam.serviceAccounts.signBlob` permission on the target account. + + +### Installation +--- + +``` +git clone https://github.com/5epi0l/signedBlob-PrivEsc.git +cd signedBlob-PriveEsc +pip install -r requirements.txt +``` + +### Usage +--- + +1. Using a direct Access Token + +```shell +python3 signedblob-privesc.py -t $(gcloud auth print-access-token) -s target-sa@project-id.iam.gserviceaccount.com +``` + +2. Using a Service Account JSON Key + +```shell +python3 signedblob-privesc.py -k /path/to/key.json -s target-sa@project-id.iam.gserviceaccount.com +``` + +3. Using a Token File + +```shell +python3 signedblob-privesc.py -f ./token.txt -s target-sa@project-id.iam.gserviceaccount.com +``` + + +## Disclaimer +--- + +This tool is for authorized security auditing and educational purposes only. Unauthorized access to computer systems is illegal. + diff --git a/signedblob-privesc.py b/signedblob-privesc.py index aff6428..b0c701b 100644 --- a/signedblob-privesc.py +++ b/signedblob-privesc.py @@ -67,7 +67,7 @@ def executeSignBlob(bearer_token, target_sa): return token_resp.json() def main(): - parser = argparse.ArgumentParser(description="signBlob Privilege Escalation") + parser = argparse.ArgumentParser(description="Own Accounts with signBlob") group = parser.add_mutually_exclusive_group(required=True) group.add_argument("-t", "--token", help="Caller's Access Token string") group.add_argument("-f", "--token-file", help="Path to file containing Access Token") |