From 31dca55ac61562b0917e77746b502a6ceb34920b Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 18 Jun 2024 19:50:52 +0000 Subject: [PATCH] GITBOOK-628: No subject --- .../gcp-cloud-run-post-exploitation.md | 6 ++++-- .../gcp-services/gcp-cloud-functions-enum.md | 18 ++++++++++++++---- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md index b57c3d70de..c99b544388 100644 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md +++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md @@ -26,9 +26,11 @@ For more information about Cloud Run check: If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables. -### Modify the image +If the images are stored in repos inside the service Artifact Registry and the user has read access over the repos, he could also download the image from this service. -Modify the run image to steal information. For example, if it's exposing a login page, steal the credentials users are sending. +### Modify & redeploy the image + +Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending.
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md index 27a36c62e6..ff4e71d549 100644 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md +++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md @@ -21,16 +21,26 @@ Other ways to support HackTricks: ### Storage The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\ -The code is stored in a bucket like: +The code is stored in a bucket like one of the following: -`gcf-sources--/-/version-/function-source.zip`\ -for example:\ +* `gcf-sources--/-/version-/function-source.zip` +* `gcf-v2-sources--/function-source.zip` + +For example:\ `gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip` {% hint style="warning" %} -Any user with **write privileges over the bucket** storing the Cloud Function could **overwrite the executed code**. +Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**. {% endhint %} +### Artifact Registry + +If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check: + +{% content-ref url="gcp-artifact-registry-enum.md" %} +[gcp-artifact-registry-enum.md](gcp-artifact-registry-enum.md) +{% endcontent-ref %} + ### SA If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function.