GCP - App Engine Post Exploitation

`App Engine`

For information about App Engine check:

{{#ref}}
../gcp-services/gcp-app-engine-enum.md
{{#endref}}

`appengine.memcache.addKey` | `appengine.memcache.list` | `appengine.memcache.getKey` | `appengine.memcache.flush`

With these permissions it's possible to:

Add a key
List keys
Get a key
Delete

⚠️ Caution

However, I **couldn't find any way to access this information from the cli**, only from the **web console** where you need to know the **Key type** and the **Key name**, of from the a**pp engine running app**. If you know easier ways to use these permissions send a Pull Request!

`logging.views.access`

With this permission it's possible to see the logs of the App:

gcloud app logs tail -s <name>

Service and version deletion

The appengine.versions.delete, appengine.versions.list, and appengine.services.list permissions allow managing and deleting specific versions of an App Engine application, which can affect traffic if it is split or if the only stable version is removed. Meanwhile, the appengine.services.delete and appengine.services.list permissions allow listing and deleting entire services—an action that immediately disrupts all traffic and the availability of the associated versions.

gcloud app versions delete <VERSION_ID>
gcloud app services delete <SERVICE_NAME>

Read Source Code

The source code of all the versions and services are stored in the bucket with the name staging.<proj-id>.appspot.com. If you have write access over it you can read the source code and search for vulnerabilities and sensitive information.

Modify Source Code

Modify source code to steal credentials if they are being sent or perform a defacement web attack.