GCP - AppEngine Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

App Engine

Kwa habari zaidi kuhusu App Engine angalia:

GCP - App Engine Enum

appengine.applications.get, appengine.instances.get, appengine.instances.list, appengine.operations.get, appengine.operations.list, appengine.services.get, appengine.services.list, appengine.versions.create, appengine.versions.get, appengine.versions.list, cloudbuild.builds.get,iam.serviceAccounts.actAs, resourcemanager.projects.get, storage.objects.create, storage.objects.list

Hizo ndizo ruhusa zinazohitajika ili kupeleka App kwa kutumia gcloud cli. Huenda zile get na list zikawa kuepukwa.

Unaweza kupata mifano ya code za python katika https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine

Kwa kawaida, jina la service ya App litakuwa default, na kunaweza kuwa na instance 1 tu yenye jina sawa.
Ili kubadilisha na kuunda App ya pili, katika app.yaml, badilisha thamani ya funguo ya mzizi (root key) kuwa kitu kama service: my-second-app

Weka application ya App Engine ```bash cd python-docs-samples/appengine/flexible/hello_world gcloud app deploy #Upload and start application inside the folder ```

Mpe angalau dakika 10–15; ikiwa haitafanya kazi, fanya deploy another of times tena na subiri dakika chache.

Note

Inawezekana kuonyesha Service Account itakayotumika lakini kwa chaguo-msingi, App Engine default SA ndiyo inayotumika.

The URL ya programu ni kitu kama https://<proj-name>.oa.r.appspot.com/ au https://<service_name>-dot-<proj-name>.oa.r.appspot.com

Update equivalent permissions

Unaweza kuwa na ruhusa za kutosha kusasisha AppEngine lakini sio za kuunda mpya. Katika kesi hiyo, hivi ndivyo ungeweza kusasisha App Engine ya sasa:

Sasisha application ya App Engine iliyopo ```bash # Find the code of the App Engine in the buckets gsutil ls

Download code

mkdir /tmp/appengine2 cd /tmp/appengine2

In this case it was found in this custom bucket but you could also use the

buckets generated when the App Engine is created

gsutil cp gs://appengine-lab-1-gcp-labs-4t04m0i6-3a97003354979ef6/labs_appengine_1_premissions_privesc.zip . unzip labs_appengine_1_premissions_privesc.zip

Now modify the code..

If you don’t have an app.yaml, create one like:

cat >> app.yaml <<EOF runtime: python312

entrypoint: gunicorn -b :$PORT main:app

env_variables: A_VARIABLE: “value” EOF

Deploy the changes

gcloud app deploy

Update the SA if you need it (and if you have actas permissions)

gcloud app update –service-account=@$PROJECT_ID.iam.gserviceaccount.com

</details>

Ikiwa **tayari umevamia AppEngine** na una ruhusa **`appengine.applications.update`** na **actAs** juu ya service account unayotaka kutumia, unaweza kubadilisha service account inayotumiwa na AppEngine kwa:

<details>
<summary>Sasisha App Engine service account</summary>
```bash
gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com

appengine.instances.enableDebug, appengine.instances.get, appengine.instances.list, appengine.operations.get, appengine.services.get, appengine.services.list, appengine.versions.get, appengine.versions.list, compute.projects.get

Kwa ruhusa hizi, inawezekana kuingia kwa ssh kwenye App Engine instances za aina ya flexible (siyo standard). Baadhi ya ruhusa za list na get huenda hazihitajiki kweli.

SSH kwenye App Engine instance ```bash gcloud app instances ssh --service --version ```

appengine.applications.update, appengine.operations.get

Nadhani hii inabadilisha tu SA ya background ambayo google atatumia kusanidi applications, kwa hivyo sidhani unaweza kuitumia vibaya kumwibia service account.

Sasisha service account ya application ```bash gcloud app update --service-account= ```

appengine.versions.getFileContents, appengine.versions.update

Sina uhakika jinsi ya kutumia ruhusa hizi au kama zinafaa (kumbuka kwamba unapobadilisha code toleo jipya linaundwa hivyo sijui kama unaweza tu kusasisha code au role ya IAM ya moja, lakini nadhani unaweza, labda kwa kubadilisha code ndani ya bucket??).

Write Access over the buckets

Kama ilivyotajwa matoleo ya appengine huunda baadhi ya data ndani ya bucket yenye jina la muundo: staging.<project-id>.appspot.com. Kumbuka kwamba haiwezekani kuchukua bucket hii mapema kwa sababu watumiaji wa GCP hawana idhini ya kuunda buckets wakitumia jina la domain appspot.com.

Walakini, kwa read & write access kwenye bucket hii, inawezekana kuinua privileges kwa SA iliyounganishwa na toleo la AppEngine kwa kufuatilia bucket na wakati wowote mabadiliko yanapotokea, kubadilisha code haraka iwezekanavyo. Kwa njia hii, container inayotengenezwa kutoka kwa code hii ita execute the backdoored code.

For more information and a PoC check the relevant information from this page:

GCP - Storage Privesc

Write Access over the Artifact Registry

Ingawa App Engine huunda docker images ndani ya Artifact Registry. Ilijaribiwa kwamba even if you modify the image inside this service na kuondoa instance ya App Engine (hivyo mpya itatekelezwa) the code executed doesn’t change.
It might be possible that performing a Race Condition attack like with the buckets it might be possible to overwrite the executed code, but this wasn’t tested.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks