0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#2804] update

This commit is contained in:
CPol 2021-10-25 16:01:41 +00:00 committed by gitbook-bot
parent c3fa0b2c66
commit 31dace41fb
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
6 changed files with 78 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
SUMMARY.md
View File

@ -501,13 +501,14 @@
* [GCP Security](cloud-security/gcp-security/README.md)
* [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
* [GCP - IAM Escalation](cloud-security/gcp-security/gcp-iam-escalation.md)
* [GCP - Looting](cloud-security/gcp-security/gcp-looting.md)
* [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md)
* [GCP - Interesting Permissions](cloud-security/gcp-security/gcp-interesting-permissions.md)
* [GCP - Buckets: Brute-Force, Privilege Escalation & Enumeration](cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md)
* [GCP - Compute Enumeration](cloud-security/gcp-security/gcp-compute-enumeration.md)
* [GCP - Network Enumeration](cloud-security/gcp-security/gcp-network-enumeration.md)
* [GCP - KMS & Secrets Management Enumeration](cloud-security/gcp-security/gcp-kms-and-secrets-management-enumeration.md)
* [GCP - Databases Enumeration](cloud-security/gcp-security/gcp-databases-enumeration.md)
* [GCP - Serverless Code Exec Services Enumeration](cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md)
## Physical attacks

12
cloud-security/gcp-security/README.md
View File

@ -334,19 +334,7 @@ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$TOKEN
You should see `https://www.googleapis.com/auth/cloud-platform` listed in the scopes, which means you are **not limited by any instance-level access scopes**. You now have full power to use all of your assigned IAM permissions.
### Custom Metadata
Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the instance and project level. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts.
```bash
# view project metadata
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
# view instance metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
```
### Service account impersonation <a href="service-account-impersonation" id="service-account-impersonation"></a>

4
cloud-security/gcp-security/gcp-kms-and-secrets-management-enumeration.md
View File

@ -34,3 +34,7 @@ gcloud beta secrets versions access 1 --secret="[SECRET NAME]"
```
Note that changing a secret entry will create a new version, so it's worth changing the `1` in the command above to a `2` and so on.
## References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)

14
cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
View File

@ -16,6 +16,20 @@ Running `gsutil ls` from the command line returns nothing, as the service accoun
You may be able to find this bucket name inside a script (in bash, Python, Ruby...).
## Custom Metadata
Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the instance and project level. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts.
```bash
# view project metadata
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
# view instance metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
```
## Modifying the metadata <a href="modifying-the-metadata" id="modifying-the-metadata"></a>
If you can **modify the instance's metadata**, there are numerous ways to escalate privileges locally. There are a few scenarios that can lead to a service account with this permission:

68
cloud-security/gcp-security/gcp-looting.md
View File

@ -1,18 +1,4 @@
# GCP - Looting
## Custom Metadata
Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the instance and project level. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts.
```bash
# view project metadata
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
# view instance metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
```
# GCP - Other Services Enumeration
## Stackdriver logging
@ -41,58 +27,6 @@ gcloud logging read [FOLDER]
gcloud logging write [FOLDER] [MESSAGE]
```
## Cloud Functions <a href="reviewing-cloud-functions" id="reviewing-cloud-functions"></a>
Google [Cloud Functions](https://cloud.google.com/functions/) allow you to host code that is executed when an event is triggered, without the requirement to manage a host operating system. These functions can also store environment variables to be used by the code.
```bash
# List functions
gcloud functions list
# Get function config including env variables
gcloud functions describe [FUNCTION NAME]
# Get logs of previous runs
# By default, limits to 10 lines
gcloud functions logs read [FUNCTION NAME] --limit [NUMBER]
```
## App Engine Configurations <a href="reviewing-app-engine-configurations" id="reviewing-app-engine-configurations"></a>
Google [App Engine](https://cloud.google.com/appengine/) is another ["serverless"](https://about.gitlab.com/topics/serverless/) offering for hosting applications, with a focus on scalability. As with Cloud Functions, **there is a chance that the application will rely on secrets that are accessed at run-time via environment variables**. These variables are stored in an `app.yaml` file which can be accessed as follows:
```bash
# First, get a list of all available versions of all services
gcloud app versions list
# Then, get the specific details on a given app
gcloud app describe [APP]
```
## Cloud Run Configurations <a href="reviewing-cloud-run-configurations" id="reviewing-cloud-run-configurations"></a>
Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
The access to this web server might be public of managed via IAM permissions:
```bash
# First get a list of services across the available platforms
gcloud run services list --platform=managed
gcloud run services list --platform=gke
# To learn more, export as JSON and investigate what the services do
gcloud run services list --platform=managed --format=json
gcloud run services list --platform=gke --format=json
# Attempt to trigger a job unauthenticated
curl [URL]
# Attempt to trigger a job with your current gcloud authorization
curl -H \
"Authorization: Bearer $(gcloud auth print-identity-token)" \
[URL]
```
## AI platform configurations <a href="reviewing-ai-platform-configurations" id="reviewing-ai-platform-configurations"></a>
Google [AI Platform](https://cloud.google.com/ai-platform/) is another "serverless" offering for machine learning projects.

57
cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md Normal file
View File

@ -0,0 +1,57 @@
# GCP - Serverless Code Exec Services Enumeration
## Cloud Functions <a href="reviewing-cloud-functions" id="reviewing-cloud-functions"></a>
Google [Cloud Functions](https://cloud.google.com/functions/) allow you to host code that is executed when an event is triggered, without the requirement to manage a host operating system. These functions can also store environment variables to be used by the code.
```bash
# List functions
gcloud functions list
# Get function config including env variables
gcloud functions describe [FUNCTION NAME]
# Get logs of previous runs
# By default, limits to 10 lines
gcloud functions logs read [FUNCTION NAME] --limit [NUMBER]
```
## App Engine Configurations <a href="reviewing-app-engine-configurations" id="reviewing-app-engine-configurations"></a>
Google [App Engine](https://cloud.google.com/appengine/) is another ["serverless"](https://about.gitlab.com/topics/serverless/) offering for hosting applications, with a focus on scalability. As with Cloud Functions, **there is a chance that the application will rely on secrets that are accessed at run-time via environment variables**. These variables are stored in an `app.yaml` file which can be accessed as follows:
```bash
# First, get a list of all available versions of all services
gcloud app versions list
# Then, get the specific details on a given app
gcloud app describe [APP]
```
## Cloud Run Configurations <a href="reviewing-cloud-run-configurations" id="reviewing-cloud-run-configurations"></a>
Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
The access to this web server might be public of managed via IAM permissions:
```bash
# First get a list of services across the available platforms
gcloud run services list --platform=managed
gcloud run services list --platform=gke
# To learn more, export as JSON and investigate what the services do
gcloud run services list --platform=managed --format=json
gcloud run services list --platform=gke --format=json
# Attempt to trigger a job unauthenticated
curl [URL]
# Attempt to trigger a job with your current gcloud authorization
curl -H \
"Authorization: Bearer $(gcloud auth print-identity-token)" \
[URL]
```
## References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)