cloudpeass: Cloud Privilege Escalation Awesome Script Suite

by · Published · Updated

Cloud Privilege Escalation Awesome Script Suite

The current goal of Cloud PEASS is simple: Once you manage to get some credentials to access Azure, GCP or AWS, use different techniques to get the permissions the principal has and highlight all the potential attacks (privilege escalation, read sensitive information, etc) it’s possible to do.

The sensitive permissions and attacks are discovered based on the sensitive permissions documented in HackTricks Cloud and also asking the HackTricks AI.

Note that at the moment HackTricks AI will share information with OpenAI, however, as we just share permission and resource names and not the actual data, it should be safe to use. If you don’t want to use HackTricks AI, you can use the --not-use-hacktricks-ai flag.

AzurePEASS

AzurePEASS will check all your permissions in Azure and in Entra ID and will try to find privilege escalation paths and other potential attacks.

AzurePEASS will use different API endpoints to find all the resources a principal has access to and then get all the permissions of those resources. It will also check for Entra ID permissions in different scopes.

Note that you will need to provide a token with access over the ARM API and another one with access over the Graph API.

Note also that some specific permissions and scopes are needed to get all the information, but the most part of the permissions can be gathered without requiring any specific enumeration permission.

GCPPEASS

GCPPEASS will check all your permissions in GCP and will try to find privilege escalation paths and other potential attacks.

GCPPEASS will brute force all the permissions over all the projects, folders and organizations the user can list and also over the given projects, folders or organizations via the CLI and then it’s check for potential attacks (like privilege escalation). This could create false negatives, as the principal might have permissions directly assigned to specific resources that won’t be able to see. Although, usually permissions are assigned at the project level, so this way we should be able to find most of the permissions. GCPPEASS also tries to enumerate all the VMs, Storages, Functions and SAs and brute force the permissions over them to reduce these false negatives.

Note that you will need to provide a token with access over the ARM API and another one with access over the Graph API.

Download

Tags: