HackTricks CloudGCP - local privilege escalation ssh pivoting
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Katika senario hii tutadhani kwamba wewe have compromised a non privilege account inside a VM in a Compute Engine project.
Kwa kushangaza, GPC permissions of the compute engine you have compromised may help you to escalate privileges locally inside a machine. Hata kama hilo si kila wakati litakuwa na msaada mkubwa katika mazingira ya cloud, ni vizuri kujua kuwa inawezekana.
Read the scripts
Compute Instances huenda zipo ili execute some scripts kufanya vitendo kwa service accounts zao.
Kwa kuwa IAM inafanya kazi kwa undani, akaunti inaweza kuwa na read/write privileges juu ya rasilimali lakini no list privileges.
Mfano mzuri wa nadharia ni Compute Instance ambayo ina ruhusa ya read/write backups kwa storage bucket inayoitwa instance82736-long-term-xyz-archive-0332893.
Kukimbiza gsutil ls kutoka kwenye command line hakutolei kitu, kwani service account inakosa ruhusa ya IAM ya storage.buckets.list. Hata hivyo, ukikimbiza gsutil ls gs://instance82736-long-term-xyz-archive-0332893 unaweza kupata backup kamili ya filesystem, ikikupa ufikaji wa clear-text kwa data ambazo akaunti yako ya Linux haina.
Unaweza kupata jina la bucket hili ndani ya script (kwa bash, Python, Ruby…).
Custom Metadata
Wasimamizi wanaweza kuongeza custom metadata katika instance na project level. Hii ni njia rahisi ya kupitisha arbitrary key/value pairs into an instance, na kawaida hutumika kwa environment variables na startup/shutdown scripts.
Zaidi ya hayo, inawezekana kuongeza userdata, ambayo ni script itakayotekelezwa everytime mashine inapoanzishwa au kuanzishwa upya na ambayo inaweza accessed from the metadata endpoint also.
For more info check:
Abusing IAM permissions
Most of the following proposed permissions are given to the default Compute SA, tatizo pekee ni kwamba default access scope prevents the SA from using them. Hata hivyo, kama cloud-platform scope imewezeshwa au tu compute scope imewezeshwa, utaweza kuvitumia vibaya.
Check the following permissions:
- compute.instances.osLogin
- compute.instances.osAdminLogin
- compute.projects.setCommonInstanceMetadata
- compute.instances.setMetadata
- compute.instances.setIamPolicy
Search for Keys in the filesystem
Angalia kama watumiaji wengine wame loggedin in gcloud inside the box and left their credentials in the filesystem:
Tafuta gcloud credentials kwenye filesystem
``` sudo find / -name "gcloud" ```Haya ni mafaili yanayovutia zaidi:
~/.config/gcloud/credentials.db~/.config/gcloud/legacy_credentials/[ACCOUNT]/adc.json~/.config/gcloud/legacy_credentials/[ACCOUNT]/.boto~/.credentials.json
Zaidi API Keys regexes
Mifumo ya grep kwa GCP credentials na keys
```bash TARGET_DIR="/path/to/whatever"Service account keys
grep -Pzr “(?s){[^{}]?service_account[^{}]?private_key.*?}”
“$TARGET_DIR”
Legacy GCP creds
grep -Pzr “(?s){[^{}]?client_id[^{}]?client_secret.*?}”
“$TARGET_DIR”
Google API keys
grep -Pr “AIza[a-zA-Z0-9\-_]{35}”
“$TARGET_DIR”
Google OAuth tokens
grep -Pr “ya29.[a-zA-Z0-9_-]{100,200}”
“$TARGET_DIR”
Generic SSH keys
grep -Pzr “(?s)—–BEGIN[ A-Z]?PRIVATE KEY[a-zA-Z0-9/+=\n-]?END[ A-Z]*?PRIVATE KEY—–”
“$TARGET_DIR”
Signed storage URLs
grep -Pir “storage.googleapis.com.*?Goog-Signature=[a-f0-9]+”
“$TARGET_DIR”
Signed policy documents in HTML
grep -Pzr ‘(?s)<form action.?googleapis.com.?name=“signature” value=“.*?”>’
“$TARGET_DIR”
</details>
## Marejeo
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>