GITBOOK-628: No subject

HackTricks-wiki · Jun 18, 2024 · 31dca55 · 31dca55
1 parent 6743320
commit 31dca55
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/...ing-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/...ing-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md
@@ -26,9 +26,11 @@ For more information about Cloud Run check:
 
 If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables.
 
-### Modify the image
+If the images are stored in repos inside the service Artifact Registry and the user has read access over the repos, he could also download the image from this service.
 
-Modify the run image to steal information. For example, if it's exposing a login page, steal the credentials users are sending.
+### Modify & redeploy the image
+
+Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending.
 
 <details>
 

diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md
@@ -21,16 +21,26 @@ Other ways to support HackTricks:
 ### Storage
 
 The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\
-The code is stored in a bucket like:
+The code is stored in a bucket like one of the following:
 
-`gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip`\
-for example:\
+* `gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip`
+* `gcf-v2-sources-<number>-<region>/<function-name>function-source.zip`
+
+For example:\
 `gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip`
 
 {% hint style="warning" %}
-Any user with **write privileges over the bucket** storing the Cloud Function could **overwrite the executed code**.
+Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**.
 {% endhint %}
 
+### Artifact Registry
+
+If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check:
+
+{% content-ref url="gcp-artifact-registry-enum.md" %}
+[gcp-artifact-registry-enum.md](gcp-artifact-registry-enum.md)
+{% endcontent-ref %}
+
 ### SA
 
 If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function.