0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#2799] up GCP

This commit is contained in:
CPol 2021-10-24 22:34:49 +00:00 committed by gitbook-bot
parent 46502d23cb
commit bdc7f38a29
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 43 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SUMMARY.md
View File

@ -504,7 +504,7 @@
* [GCP - Looting](cloud-security/gcp-security/gcp-looting.md)
* [GCP - Interesting Permissions](cloud-security/gcp-security/gcp-interesting-permissions.md)
* [GCP - Buckets Brute-Force & Privilege Escalation](cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md)
* [GCP - Compute & Network Enumeration](cloud-security/gcp-security/gcp-compute-and-network-enumeration.md)
* [GCP - Compute & Network Enumeration](cloud-security/gcp-security/page-1.md)
## Physical attacks

44
cloud-security/gcp-security/README.md
View File

@ -234,27 +234,6 @@ Remember that in all those **resources belonging to a project** you can use the
| List **custom** **roles** on a project | `gcloud iam roles list --project $PROJECT_ID` |
| List **service accounts** | `gcloud iam service-accounts list` |
### Compute Engine / Virtual Machines
| Description | Command |
| -------------------------------- | --------------------------------------------------------------------------------------------------------- |
| List all **instances** | `gcloud compute instances list` |
| List **instances** **templates** | `gcloud compute instance-templates list` |
| Show instance **info** | `gcloud compute instances describe "<instance-name>" --project "<project-name>" --zone "us-west2-a"` |
| Get **active** **zones** | `gcloud compute regions list \| grep -E "NAME\|[^0]/` |
| **Stop** an instance | `gcloud compute instances stop instance-2` |
| **Start** an instance | `gcloud compute instances start instance-2` |
| **Create** an instance | `gcloud compute instances create vm1 --image image-1 --tags test --zone "<zone>" --machine-type f1-micro` |
| **SSH** to instance | `gcloud compute ssh --project "<project-name>" --zone "<zone-name>" "<instance-name>"` |
| **Download** files | `gcloud compute copy-files example-instance:~/REMOTE-DIR ~/LOCAL-DIR --zone us-central1-a` |
| **Upload** files | `gcloud compute copy-files ~/LOCAL-FILE-1 example-instance:~/REMOTE-DIR --zone us-central1-a` |
| List all **disks** | `gcloud compute disks list` |
| List all disk types | `gcloud compute disk-types list` |
| List all **snapshots** | `gcloud compute snapshots list` |
| **Create** snapshot | `gcloud compute disks snapshot --snapshotname --zone $zone` |
| List **images** | `gcloud compute images list` |
| List **subnets** | `gcloud compute networks subnets list` |
## Unauthenticated Attacks
{% content-ref url="gcp-buckets-brute-force-and-privilege-escalation.md" %}
@ -355,24 +334,19 @@ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$TOKEN
You should see `https://www.googleapis.com/auth/cloud-platform` listed in the scopes, which means you are **not limited by any instance-level access scopes**. You now have full power to use all of your assigned IAM permissions.
### **Steal gcloud authorizations**
### Custom Metadata
It's quite possible that** other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this.
Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the instance and project level. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts.
First, find what `gcloud` config directories exist in users' home folders.
```bash
# view project metadata
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
# view instance metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
```
$ sudo find / -name "gcloud"
```
You can manually inspect the files inside, but these are generally the ones with the secrets:
* \~/.config/gcloud/credentials.db
* \~/.config/gcloud/legacy\_credentials/\[ACCOUNT]/adc.json
* \~/.config/gcloud/legacy\_credentials/\[ACCOUNT]/.boto
* \~/.credentials.json
Now, you have the option of looking for clear text credentials in these files or simply copying the entire `gcloud` folder to a machine you control and running `gcloud auth list` to see what accounts are now available to you.
### Service account impersonation <a href="service-account-impersonation" id="service-account-impersonation"></a>

33
cloud-security/gcp-security/gcp-compute-and-network-enumeration.md → cloud-security/gcp-security/page-1.md
View File

@ -72,6 +72,25 @@ You can then [export](https://cloud.google.com/sdk/gcloud/reference/compute/imag
$ gcloud compute images list --no-standard-images
```
### **Steal gcloud authorizations**
It's quite possible that** other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this.
First, find what `gcloud` config directories exist in users' home folders.
```
$ sudo find / -name "gcloud"
```
You can manually inspect the files inside, but these are generally the ones with the secrets:
* \~/.config/gcloud/credentials.db
* \~/.config/gcloud/legacy\_credentials/\[ACCOUNT]/adc.json
* \~/.config/gcloud/legacy\_credentials/\[ACCOUNT]/.boto
* \~/.credentials.json
Now, you have the option of looking for clear text credentials in these files or simply copying the entire `gcloud` folder to a machine you control and running `gcloud auth list` to see what accounts are now available to you.
## Images
### Custom Images
@ -108,3 +127,17 @@ $ gcloud compute instance-templates list
# Get the details of a specific template
$ gcloud compute instance-templates describe [TEMPLATE NAME]
```
## More Enumeration
| Description | Command |
| ---------------------- | --------------------------------------------------------------------------------------------------------- |
| **Stop** an instance | `gcloud compute instances stop instance-2` |
| **Start** an instance | `gcloud compute instances start instance-2` |
| **Create** an instance | `gcloud compute instances create vm1 --image image-1 --tags test --zone "<zone>" --machine-type f1-micro` |
| **Download** files | `gcloud compute copy-files example-instance:~/REMOTE-DIR ~/LOCAL-DIR --zone us-central1-a` |
| **Upload** files | `gcloud compute copy-files ~/LOCAL-FILE-1 example-instance:~/REMOTE-DIR --zone us-central1-a` |
| List all **disks** | `gcloud compute disks list` |
| List all disk types | `gcloud compute disk-types list` |
| List all **snapshots** | `gcloud compute snapshots list` |
| **Create** snapshot | `gcloud compute disks snapshot --snapshotname --zone $zone` |