GCP - KMS Privesc

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

KMS

Taarifa kuhusu KMS:

GCP - KMS Enum

Kumbuka kwamba katika KMS idhini hazirithi tu kutoka kwa Orgs, Folders na Projects bali pia kutoka kwa Keyrings.

cloudkms.cryptoKeyVersions.useToDecrypt

Unaweza kutumia idhini hii kufungua taarifa kwa kutumia funguo ambayo una idhini hii juu yake.

bash
gcloud kms decrypt \
--location=[LOCATION] \
--keyring=[KEYRING_NAME] \
--key=[KEY_NAME] \
--version=[KEY_VERSION] \
--ciphertext-file=[ENCRYPTED_FILE_PATH] \
--plaintext-file=[DECRYPTED_FILE_PATH]

cloudkms.cryptoKeys.setIamPolicy

Mshambuliaji mwenye ruhusa hii anaweza kujipe ruhusa kutumia funguo kufungua taarifa.

bash
gcloud kms keys add-iam-policy-binding [KEY_NAME] \
--location [LOCATION] \
--keyring [KEYRING_NAME] \
--member [MEMBER] \
--role roles/cloudkms.cryptoKeyDecrypter

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

Hapa kuna ufafanuzi wa dhana jinsi hii delegation inavyofanya kazi:

  1. Service Account A ina ufikiaji wa moja kwa moja wa kufungua kwa kutumia funguo maalum katika KMS.
  2. Service Account B inapata ruhusa ya useToDecryptViaDelegation. Hii inaruhusu kuomba KMS kufungua data kwa niaba ya Service Account A.

Matumizi ya ruhusa hii ni ya kimya katika njia ambayo huduma ya KMS inakagua ruhusa wakati ombi la kufungua linapofanywa.

Unapofanya ombi la kawaida la kufungua kwa kutumia Google Cloud KMS API (katika Python au lugha nyingine), huduma inakagua ikiwa akaunti ya huduma inayohitaji ina ruhusa zinazohitajika. Ikiwa ombi linatolewa na akaunti ya huduma yenye ruhusa ya useToDecryptViaDelegation, KMS inathibitisha ikiwa akaunti hii inaruhusiwa kuomba kufungua kwa niaba ya chombo kinachomiliki funguo.

Kuweka Mbele kwa Delegation

  1. Define the Custom Role: Unda faili ya YAML (mfano, custom_role.yaml) inayofafanua jukumu maalum. Faili hii inapaswa kujumuisha ruhusa ya cloudkms.cryptoKeyVersions.useToDecryptViaDelegation. Hapa kuna mfano wa jinsi faili hii inaweza kuonekana:
yaml
title: "KMS Decryption via Delegation"
description: "Allows decryption via delegation"
stage: "GA"
includedPermissions:
- "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation"
  1. Unda Rolihusika ya Kijadi kwa Kutumia gcloud CLI: Tumia amri ifuatayo kuunda roli ya kijadi katika mradi wako wa Google Cloud:
bash
gcloud iam roles create kms_decryptor_via_delegation --project [YOUR_PROJECT_ID] --file custom_role.yaml

Badilisha [YOUR_PROJECT_ID] na kitambulisho chako cha mradi wa Google Cloud.

  1. Patia Jukumu Maalum Akaunti ya Huduma: Peana jukumu lako maalum kwa akaunti ya huduma ambayo itakuwa ikitumia ruhusa hii. Tumia amri ifuatayo:
bash
# Give this permission to the service account to impersonate
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[SERVICE_ACCOUNT_B_EMAIL]" \
--role "projects/[PROJECT_ID]/roles/[CUSTOM_ROLE_ID]"

# Give this permission over the project to be able to impersonate any SA
gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
--member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
--role="projects/[YOUR_PROJECT_ID]/roles/kms_decryptor_via_delegation"

Badilisha [YOUR_PROJECT_ID] na [SERVICE_ACCOUNT_EMAIL] kwa kitambulisho chako cha mradi na barua pepe ya akaunti ya huduma, mtawalia.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks