summaryrefslogtreecommitdiff
path: root/README.md
blob: fdf97c01d7c84298200effc246af231571d476b6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

## SignedBlob-PrivEsc
---

This tool specifically targets the `iam.serviceAccounts.signBlob` permission to generate an Access Token for a target Service Account without needing its private key.

### OverView
---

In GCP, if an identity has the Service Account Token Creator role (or specifically iam.serviceAccounts.signBlob), they can sign arbitrary payloads which can be used to request Access Token for service Accounts. This script works as follows:

   - Constructs an unsigned JWT with the target ServiceAccount as the issuer
   - Calls the `signBlob` method of the IAM API, and passes the constructed JWT as the payload
   - Exchanges the signed JWT for a full OAuth2 Access Token.


### Options
---

```shell
usage: signedblob-privesc.py [-h] (-t TOKEN | -f TOKEN_FILE | -k KEY_FILE) -s TARGET

Own Accounts with signBlob

options:
  -h, --help            show this help message and exit
  -t, --token TOKEN     Caller's Access Token string
  -f, --token-file TOKEN_FILE
                        Path to file containing Access Token
  -k, --key-file KEY_FILE
                        Path to Service Account JSON key file
  -s, --target TARGET   Target Service Account Email
```


### Prerequisites
---
    - Python 3.x
    - The iamcredentials.googleapis.com API must be enabled in the target project.
    - Your caller identity must have iam.serviceAccounts.signBlob permission on the target account.


### Installation
---

```
git clone https://github.com/5epi0l/signedBlob-PrivEsc.git
cd signedBlob-PriveEsc
pip install -r requirements.txt
```

### Usage
---

1. Using a direct Access Token

```shell
python3 signedblob-privesc.py -t $(gcloud auth print-access-token) -s target-sa@project-id.iam.gserviceaccount.com
```

2. Using a Service Account JSON Key

```shell
python3 signedblob-privesc.py -k /path/to/key.json -s target-sa@project-id.iam.gserviceaccount.com
```

3. Using a Token File

```shell
python3 signedblob-privesc.py -f ./token.txt -s target-sa@project-id.iam.gserviceaccount.com
```

---
<img width="1904" height="487" alt="image" src="https://github.com/user-attachments/assets/bf7f8cd5-73fd-47cb-81ca-01e75938ab9d" />


## Disclaimer
---

This tool is for authorized security auditing and educational purposes only. Unauthorized access to computer systems is illegal.
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-11 22:31:08 +0000