x4c1s/signedBlob-PrivEsc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This tool specifically targets the iam.serviceAccounts.signBlob permission to generate an Access Token for a target Service Account without needing its private key.
6 commits 1 branch 0 tags 36 KiB
  • Python 100%
Find a file
Exact
subh 2b2f21deea added the 'sub' field to the claim set
2026-02-13 12:59:02 +05:30
README.md Add image and disclaimer to README 2026-02-13 01:09:56 +05:30
requirements.txt Initial Commit 2026-02-13 00:40:32 +05:30
signedblob-privesc.py added the 'sub' field to the claim set 2026-02-13 12:59:02 +05:30

README.md

SignedBlob-PrivEsc

This tool specifically targets the iam.serviceAccounts.signBlob permission to generate an Access Token for a target Service Account without needing its private key.

OverView

In GCP, if an identity has the Service Account Token Creator role (or specifically iam.serviceAccounts.signBlob), they can sign arbitrary payloads which can be used to request Access Token for service Accounts. This script works as follows:

  • Constructs an unsigned JWT with the target ServiceAccount as the issuer
  • Calls the signBlob method of the IAM API, and passes the constructed JWT as the payload
  • Exchanges the signed JWT for a full OAuth2 Access Token.

Options

usage: signedblob-privesc.py [-h] (-t TOKEN | -f TOKEN_FILE | -k KEY_FILE) -s TARGET

Own Accounts with signBlob

options:
  -h, --help            show this help message and exit
  -t, --token TOKEN     Caller's Access Token string
  -f, --token-file TOKEN_FILE
                        Path to file containing Access Token
  -k, --key-file KEY_FILE
                        Path to Service Account JSON key file
  -s, --target TARGET   Target Service Account Email

Prerequisites

- Python 3.x
- The iamcredentials.googleapis.com API must be enabled in the target project.
- Your caller identity must have iam.serviceAccounts.signBlob permission on the target account.

Installation

git clone https://github.com/5epi0l/signedBlob-PrivEsc.git
cd signedBlob-PriveEsc
pip install -r requirements.txt

Usage

  1. Using a direct Access Token
python3 signedblob-privesc.py -t $(gcloud auth print-access-token) -s target-sa@project-id.iam.gserviceaccount.com
  1. Using a Service Account JSON Key
python3 signedblob-privesc.py -k /path/to/key.json -s target-sa@project-id.iam.gserviceaccount.com
  1. Using a Token File
python3 signedblob-privesc.py -f ./token.txt -s target-sa@project-id.iam.gserviceaccount.com
image

Disclaimer

This tool is for authorized security auditing and educational purposes only. Unauthorized access to computer systems is illegal.