Cloud Privilege Escalation Awesome Script Suite 🚀🛡️

Welcome to the Cloud Privilege Escalation Awesome Script Suite – your one-stop solution to find your permissions whenever you compromise a principal in a Red Team across major cloud platforms: Azure, GCP, and AWS. This suite is designed to help you determine all your permissions and also what it's possible to accomplish with them, focusing on privilege escalation and accessing sensitive information 🔥, and other potential attack vectors without modifying any resources.

This toolkit leverages advanced techniques to enumerate your permissions (it uses different permission enumeration techniques depending on the cloud) and utilizes insights from HackTricks Cloud plus a curated permissions catalog (Blue-CloudPEASS) to classify permissions as critical / high / medium / low.

---

<details> <summary><h2>AzurePEAS 💼🖥️</h2></summary>

AzurePEAS is dedicated to enumerating the principals permissions within your Azure and Entra ID environments, with a special focus on detecting privilege escalation pathways and identifying potential security risks. It can also enumerate several Microsoft 365 services for a quick recon. Here are the key features and requirements:

• Comprehensive Permissions Check
  AzurePEAS finds all resources accessible to the principal and the permissions he has over them. It retrieves permissions for both Azure (ARM API) and Entra ID (Graph API), ensuring a thorough analysis of your cloud permissions.

• Authentication Requirements
  AzurePEAS supports multiple authentication methods:

  • Device Code Flow (Default): Simply run without parameters for interactive browser-based authentication (supports MFA) 🔐
  • Pre-existing Tokens: Provide ARM and/or Graph tokens directly
  • Username/Password: Use --use-username-password flag for automation (non-MFA accounts only)
  • FOCI Refresh Token: Generate tokens and access M365 services

  Note: Most permissions can be collected without needing extra enumeration privileges. However, some specific operations might need additional scopes.

• Microsoft 365 Enumeration (M356)
  If you provide AzurePEAS with a FOCI refresh token or valid credentials (username and password), it extends its scanning capabilities to enumerate various Microsoft 365 services, including:

  • SharePoint 📂
  • OneDrive ☁️
  • Outlook 📧
  • Teams 💬
  • OneNote 📝
  • Contacts 👥
  • Tasks ✅

  This additional enumeration is intended to indicate whether any data exists in these services, enabling further manual investigation if needed. The process is not exhaustive but serves as a useful preliminary check.

AzurePEAS Help

To see the complete list of options, run:

python3 ./AzurePEAS.py --help

usage: AzurePEAS.py [-h] [--tenant-id TENANT_ID] [--arm-token ARM_TOKEN] [--graph-token GRAPH_TOKEN] [--foci-refresh-token FOCI_REFRESH_TOKEN] [--not-enumerate-m365] [--skip-entraid]
                    [--username USERNAME] [--password PASSWORD] [--use-username-password] [--check-only-these-subs CHECK_ONLY_THESE_SUBS] [--out-json-path OUT_JSON_PATH]
                    [--threads THREADS]

Run AzurePEASS to find all your current privileges in Azure and EntraID and check for potential privilege escalation attacks. To check for Azure permissions an ARM token is needed.
To check for Entra ID permissions a Graph token is needed.

options:
  -h, --help            show this help message and exit
  --tenant-id TENANT_ID
                        Indicate the tenant id
  --arm-token ARM_TOKEN
                        Azure Management authentication token
  --graph-token GRAPH_TOKEN
                        Azure Graph authentication token
  --foci-refresh-token FOCI_REFRESH_TOKEN
                        FOCI Refresh Token
  --not-enumerate-m365  Don't enumerate M365 permissions
  --skip-entraid        Skip EntraID permissions enumeration and only focus on Azure subscriptions
  --username USERNAME   Username for authentication (used with --use-username-password)
  --password PASSWORD   Password for authentication (used with --use-username-password)
  --use-username-password
                        Use username/password flow instead of device code flow (only works without MFA)
  --check-only-these-subs CHECK_ONLY_THESE_SUBS
                        In case you just want to check specific subscriptions, provide a comma-separated list of subscription IDs (e.g. 'sub1,sub2')
  --out-json-path OUT_JSON_PATH
                        Output JSON file path (e.g. /tmp/azure_results.json)
  --threads THREADS     Number of threads to use

AzurePEAS Usage Examples

1. Simple Interactive Authentication (Recommended) �

Just run with no parameters for device code flow (works with MFA):

# Simplest - prompts for tenant or uses 'organizations'
python3 AzurePEAS.py

# With tenant auto-discovery from email domain
python3 AzurePEAS.py --username user@domain.com

2. Obtaining Tokens Manually 🔑

If you prefer to generate tokens beforehand:

# Get Azure ARM token
export AZURE_ARM_TOKEN=$(az account get-access-token --resource-type arm | jq -r .accessToken)

# Get Azure Graph token
export AZURE_GRAPH_TOKEN=$(az account get-access-token --resource-type ms-graph | jq -r .accessToken)

# Get Graph Token with enough scopes (use powershell)
Connect-MgGraph -Scopes "RoleAssignmentSchedule.Read.Directory"
$Parameters = @{
    Method     = "GET"
    Uri        = "/v1.0/me"
    OutputType = "HttpResponseMessage"
}
$Response = Invoke-MgGraphRequest @Parameters
$Headers = $Response.RequestMessage.Headers
$Headers.Authorization.Parameter

3. Running AzurePEAS Using Pre-existing Tokens

Provide tokens via command line or environment variables:

python3 AzurePEAS.py --arm-token <TOKEN> --graph-token <TOKEN>
# or use environment variables
export AZURE_ARM_TOKEN=<TOKEN>
export AZURE_GRAPH_TOKEN=<TOKEN>
python3 AzurePEAS.py

4. Username/Password Authentication (Non-MFA or Service Principals) ⚠️

For automation scripts with non-MFA accounts:

python3 AzurePEAS.py --use-username-password --username <USERNAME> --password <PASSWORD>

5. Using FOCI Refresh Token

For M365 enumeration capabilities:

python3 AzurePEAS.py --tenant-id <TENANT_ID> --foci-refresh-token <TOKEN>

6. Focus on Azure Subscriptions Only

Skip EntraID and M365 enumeration to only check Azure subscription permissions:

python3 AzurePEAS.py --skip-entraid

7. Check Specific Subscriptions Only

Limit enumeration to specific subscriptions:

python3 AzurePEAS.py --check-only-these-subs <SUB_ID1>,<SUB_ID2>

</details>

---

<details> <summary><h2>GCPPEAS 🌐🔍</h2></summary>

GCPPEAS is designed to enumerate all your permissions on Google Cloud Platform (GCP), uncovering potential privilege escalation paths and other attack vectors—all without modifying any resources. It starts by collecting the projects, folders, and organizations that the compromised principal can enumerate, then expands its search to discover additional assets such as Virtual Machines, Functions, Storage buckets, and Service Accounts. This holistic approach minimizes blind spots and increases the chance of identifying permissions.

How It Works

• Resource Discovery:
  GCPPEAS begins by gathering the provided projects, folders, or organizations and then discovers more resources within those containers.

• Permissions Enumeration:
  It employs two main techniques to assess the user's permissions:

  • IAM Policy Retrieval:
    Attempts to fetch the IAM policies of resources (this requires *.getIamPolicy permissions and might not be available in all cases).
  • Brute Force Testing:
    Utilizes the GCP testIamPermissions API to brute force permission checks across all resources. This method is inherently non-intrusive—it does not modify any resource or configuration.

  Note:
  If you encounter errors indicating that the service cloudresourcemanager.googleapis.com is not enabled, you can:

  • Try to enable it with:

    gcloud services enable cloudresourcemanager.googleapis.com
    

  • Alternatively, create a new project under your control, enable the service there, assign the roles/serviceusage.serviceUsageConsumer role to the compromised principal, and use the --billing-project flag in GCPPEAS indicating the name ID of this project (this will allow you to brute-force permissions in the victim project even if that victim project doesn't have the service enabled).

  The same approach applies if the error is related to cloudidentity.googleapis.com.

• Attack Surface Analysis:
  Once permissions are collected, GCPPEAS correlates the data to pinpoint potential privilege escalation paths. Although some permissions might be directly assigned to individual resources—possibly resulting in false negatives—the tool also enumerates additional assets (like VMs, Storage, Functions, and Service Accounts) and tests their permissions to minimize such oversights.

• Authentication Requirements:
  To execute GCPPEAS, you must provide either a GCP access token or a JSON file with Service Account credentials.

"Backdoor" gcloud for Google Drive Access 📂☁️

By default gcloud doesn't generate tokens with Drive access, but it can, so here you havea couple of options:

• Option 1:
  Authenticate using the following if you know the username and password:

  gcloud auth login --enable-gdrive-access
  

• Option 2:
  If you have compromised the victims laptop, modify the GetScopes function in the Python library (typically located at