GCP - Orgpolicy Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Mshambuliaji akitumia orgpolicy.policy.set anaweza kuendeleza mabadiliko kwenye sera za shirika (organizational policies), jambo litakalomruhusu kuondoa vikwazo fulani vinavyokwamisha operesheni maalum. Kwa mfano, kizuizi appengine.disableCodeDownload kawaida huwa kinazuia kupakua msimbo wa chanzo wa App Engine. Hata hivyo, kwa kutumia orgpolicy.policy.set, mshambuliaji anaweza kuzima kizuizi hiki, na hivyo kupata uwezo wa kupakua msimbo wa chanzo, licha ya awali kilikuwa kinalindwa.

Pata taarifa za org policy na kuzima utekelezaji

```bash # Get info gcloud resource-manager org-policies describe [--folder | --organization | --project ]

Disable

gcloud resource-manager org-policies disable-enforce [–folder | –organization | –project ]

</details>

Script ya Python kwa njia hii inaweza kupatikana [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py).

### `orgpolicy.policy.set`, `iam.serviceAccounts.actAs`

Kawaida haiwezekani kuambatanisha service account kutoka project tofauti kwenye resource kwa sababu kuna policy constraint inayotekelezwa iitwayo **`iam.disableCrossProjectServiceAccountUsage`** inayozuia kitendo hiki.

Inawezekana kuthibitisha kama constraint hii inatekelezwa kwa kuendesha amri ifuatayo:

<details>
<summary>Thibitisha constraint ya cross-project service account</summary>
```bash
gcloud resource-manager org-policies describe \
constraints/iam.disableCrossProjectServiceAccountUsage \
--project=<project-id> \
--effective

booleanPolicy:
enforced: true
constraint: constraints/iam.disableCrossProjectServiceAccountUsage

Hii inamzuia attacker kutoka kutumia vibaya ruhusa iam.serviceAccounts.actAs kuigiza service account kutoka project nyingine bila ruhusa nyingine za infra zinazohitajika kuanzisha VM mpya kwa mfano, jambo ambalo linaweza kusababisha privilege escalation.

Hata hivyo, attacker mwenye ruhusa orgpolicy.policy.set anaweza kupitisha kizuizi hiki kwa kuzima constraint iam.disableServiceAccountProjectWideAccess. Hii inamwezesha attacker kuambatisha service account kutoka project nyingine kwenye resource katika project yake mwenyewe, na hivyo kusababisha privilege escalation.

Disable cross-project service account constraint

```bash gcloud resource-manager org-policies disable-enforce \ iam.disableCrossProjectServiceAccountUsage \ --project= ```

References

https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.