GCP - KMS Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

KMS

Taarifa kuhusu KMS:

GCP - KMS Enum

Kumbuka kwamba katika KMS, uruhusa hazirithiwi tu kutoka kwa Orgs, Folders na Projects, bali pia zinaweza kutokana na Keyrings.

`cloudkms.cryptoKeyVersions.useToDecrypt`

Unaweza kutumia ruhusa hii decrypt information with the key uliyo nayo.

Decrypt data using KMS key

```bash gcloud kms decrypt \ --location=[LOCATION] \ --keyring=[KEYRING_NAME] \ --key=[KEY_NAME] \ --version=[KEY_VERSION] \ --ciphertext-file=[ENCRYPTED_FILE_PATH] \ --plaintext-file=[DECRYPTED_FILE_PATH] ```

`cloudkms.cryptoKeys.setIamPolicy`

Mshambulizi aliye na ruhusa hii anaweza give himself permissions ili kutumia key ku-decrypt taarifa.

Jipa mwenyewe KMS decrypter role

```bash gcloud kms keys add-iam-policy-binding [KEY_NAME] \ --location [LOCATION] \ --keyring [KEYRING_NAME] \ --member [MEMBER] \ --role roles/cloudkms.cryptoKeyDecrypter ```

`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation`

Hapa kuna muhtasari wa kifikiria wa jinsi udhamini huu unavyofanya kazi:

Service Account A ana ufikiaji wa moja kwa moja wa ku-decrypt kwa kutumia key maalum katika KMS.
Service Account B amepewa ruhusa ya useToDecryptViaDelegation. Hii inamruhusu kuomba KMS ku-decrypt data kwa niaba ya Service Account A.

Matumizi ya ruhusa hii hutegemea jinsi huduma ya KMS inavyokagua ruhusa wakati ombi la decrypt linapotumwa.

Unapofanya ombi la kawaida la decrypt ukitumia Google Cloud KMS API (kwa Python au lugha nyingine), huduma inakagua kama service account inayetoa ombi ina ruhusa zinazohitajika. Ikiwa ombi limefanywa na service account iliyo na ruhusa ya useToDecryptViaDelegation, KMS inathibitisha kama akaunti hii inaruhusiwa kuomba decrypt kwa niaba ya entiti inayomiliki key.

Kuandaa kwa Udhamini

Define the Custom Role: Unda faili ya YAML (kwa mfano, custom_role.yaml) inayofafanua custom role. Faili hii inapaswa kujumuisha ruhusa ya cloudkms.cryptoKeyVersions.useToDecryptViaDelegation. Hapa kuna mfano wa jinsi faili hii inaweza kuonekana:

Custom role YAML definition

```yaml title: "KMS Decryption via Delegation" description: "Allows decryption via delegation" stage: "GA" includedPermissions: - "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation" ```

Tengeneza Cheo Maalum Ukitumia gcloud CLI: Tumia amri ifuatayo ili kuunda cheo maalum katika mradi wako wa Google Cloud:

Tengeneza cheo maalum cha KMS

```bash gcloud iam roles create kms_decryptor_via_delegation --project [YOUR_PROJECT_ID] --file custom_role.yaml ``` Badilisha `[YOUR_PROJECT_ID]` na ID ya mradi wako wa Google Cloud.

Mpa roli maalum kwa akaunti ya huduma: Mpa roli yako maalum kwa akaunti ya huduma itakayokuwa ikitumia ruhusa hii. Tumia amri ifuatayo:

Mpa roli maalum kwa akaunti ya huduma

```bash # Give this permission to the service account to impersonate gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member "serviceAccount:[SERVICE_ACCOUNT_B_EMAIL]" \ --role "projects/[PROJECT_ID]/roles/[CUSTOM_ROLE_ID]"

Give this permission over the project to be able to impersonate any SA

gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID]
–member=“serviceAccount:[SERVICE_ACCOUNT_EMAIL]”
–role=“projects/[YOUR_PROJECT_ID]/roles/kms_decryptor_via_delegation”

Badilisha `[YOUR_PROJECT_ID]` na `[SERVICE_ACCOUNT_EMAIL]` na ID ya mradi wako na anwani ya barua pepe ya akaunti ya huduma mtawalia.

</details>

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>