HackTricks CloudGCP - IAM, Principals & Org Unauthenticated Enum
Reading time: 5 minutes
tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Iam & GCP Principals
Za više informacija proverite:
GCP - IAM, Principals & Org Policies Enum
Da li se domen koristi u Workspace-u?
- Proverite DNS zapise
Ako ima google-site-verification zapis, verovatno je da koristi (ili je koristio) Workspace:
dig txt hacktricks.xyz
[...]
hacktricks.xyz. 3600 IN TXT "google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz. 3600 IN TXT "google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz. 300 IN TXT "v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"
Ako se nešto poput include:_spf.google.com takođe pojavi, to to potvrđuje (napomena: ako se ne pojavi, to ne negira jer domen može biti u Workspace-u bez korišćenja gmail-a kao provajdera e-pošte).
- Pokušajte da postavite Workspace sa tim domenom
Druga opcija je da pokušate da postavite Workspace koristeći domen, ako prijavi da je domen već u upotrebi (kao na slici), znate da je već u upotrebi!
Da biste pokušali da postavite Workspace domen, pratite: https://workspace.google.com/business/signup/welcome
.png)
- Pokušajte da povratite lozinku e-pošte koristeći taj domen
Ako znate neku važeću adresu e-pošte koja se koristi na tom domenu (kao: admin@email.com ili info@email.com) možete pokušati da povratite nalog na https://accounts.google.com/signin/v2/recoveryidentifier, i ako pokušaj ne prikaže grešku koja ukazuje da Google nema informacije o tom nalogu, onda se koristi Workspace.
Enumeracija e-pošte i servisnih naloga
Moguće je enumerisati važeće e-pošte domena Workspace i SA e-pošte pokušavajući da im dodelite dozvole i proverite poruke o grešci. Za ovo vam je samo potrebno da imate dozvole da dodelite dozvolu projektu (koji može biti samo u vašem vlasništvu).
Napomena: da biste ih proverili, ali čak i ako postoje, ne dodeljujte im dozvolu, možete koristiti tip serviceAccount kada je to user i user kada je to SA:
# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
# but indicating it's a service account
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
--role='roles/viewer'
## Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.
# Now try with a valid email
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:support@hacktricks.xyz' \
--role='roles/viewer'
# Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.
Brži način za enumeraciju Service Accounts u poznatim projektima je jednostavno pokušati pristupiti URL-u: https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email>
Na primer: https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com
Ako je odgovor 403, to znači da SA postoji. Ali ako je odgovor 404, to znači da ne postoji:
// Exists
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"status": "PERMISSION_DENIED"
}
}
// Doesn't exist
{
"error": {
"code": 404,
"message": "Unknown service account",
"status": "NOT_FOUND"
}
}
Napomena kako kada je korisnički email bio validan, poruka o grešci je ukazivala da tip nije, tako da smo uspeli da otkrijemo da email support@hacktricks.xyz postoji bez dodeljivanja bilo kakvih privilegija.
Možete učiniti isto sa Service Accounts koristeći tip user: umesto serviceAccount::
# Non existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.
# Existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.
tip
Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.