GCP - Uhifadhi wa Tokeni

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Tokeni za Mtumiaji Aliethibitishwa

Ili kupata tokeni ya sasa ya mtumiaji unaweza kuendesha:

Pata access token kutoka SQLite database ```bash sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='';" ```

Angalia kwenye ukurasa huu jinsi ya kutumia token hii moja kwa moja kwa kutumia gcloud:

Cloud SSRF - HackTricks

Ili kupata maelezo ya kuzalisha access token mpya, endesha:

Pata refresh token kutoka kwenye SQLite database ```bash sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='';" ```

Pia inawezekana kupata refresh tokens katika $HOME/.config/gcloud/application_default_credentials.json na katika $HOME/.config/gcloud/legacy_credentials/*/adc.json.

Ili kupata access token mpya iliyosasishwa kwa kutumia refresh token, client ID, na client secret, endesha:

Pata access token mpya ukitumia refresh token ```bash curl -s --data client_id= --data client_secret= --data grant_type=refresh_token --data refresh_token= --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token ```

Muda wa uhalali wa refresh tokens unaweza kusimamiwa katika Admin > Security > Google Cloud session control, na kwa default umewekwa kwa masaa 16 ingawa inaweza kuwekwa isiyoisha:

Mtiririko wa uthibitishaji

Mtiririko wa uthibitishaji wakati unapotumia kitu kama gcloud auth login utafungua ombi kwenye kivinjari, na baada ya kukubali scopes zote kivinjari kitatuma ombi kama hili kwa bandari ya http iliyo wazi na chombo:

/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1

Kisha, gcloud itatumia state na code pamoja na client_id iliyowekwa kwa mkono (32555940559.apps.googleusercontent.com) na client_secret (ZmssLNjJy2998hD4CTg2ejr2) ili kupata final refresh token data.

Caution

Kumbuka kuwa mawasiliano na localhost ni kwa HTTP, hivyo inawezekana ku-intercept data ili kupata refresh token; hata hivyo data hii ni halali mara 1 tu, kwa hivyo haingefaa — ni rahisi zaidi kusoma refresh token kutoka kwenye faili.

OAuth Scopes

Unaweza kupata scopes zote za Google kwenye https://developers.google.com/identity/protocols/oauth2/scopes au uzipate kwa kuendesha:

Pata scopes zote za Google OAuth ```bash curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u ```

Inawezekana kuona ni scopes gani programu ambayo gcloud inatumia kuthibitisha inaweza kuunga mkono kwa script hii:

Jaribu scopes zinazoungwa mkono na gcloud ```bash curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do echo -ne "Testing $scope \r" if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then echo "" echo $scope fi done ```

Baada ya kuiendesha, ilikaguliwa kwamba app hii inaunga mkono scopes hizi:

https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email

inavutia kuona jinsi app hii inavyounga mkono drive scope, ambayo inaweza kumwezesha mtumiaji kuhamia kutoka GCP hadi Workspace ikiwa mshambuliaji ataweza kumlazimisha mtumiaji kutengeneza tokeni yenye scope hii.

Angalia jinsi ya abuse this here.

Service Accounts

Kama ilivyo kwa authenticated users, ikiwa utafanikiwa compromise the private key file ya service account utaweza access it usually as long as you want.
Hata hivyo, ikiwa utakuja kuiba OAuth token ya service account inaweza kuwa ya kuvutia zaidi, kwa sababu, hata kama kwa chaguo-msingi tokeni hizi zinafaa kwa saa moja tu, ikiwa victim deletes the private api key, the OAuth token will still be valid until it expires.

Metadata

Kisichoweza kukanushwa, mradi tu uko ndani ya mashine inayotumika ndani ya mazingira ya GCP utaweza access the service account attached to that machine contacting the metadata endpoint (kumbuka kuwa Oauth tokens unazoweza kupata katika endpoint hii kwa kawaida zinalindwa na scopes).

Urekebishaji

Baadhi ya urekebishaji kwa mbinu hizi umeelezewa katika https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks