GCP - Cloud Functions Enum

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Cloud Functions

Google Cloud Functions zimeundwa kuhifadhi msimbo wako, ambao unatekelezwa kama jibu kwa matukio, bila kuhitaji usimamizi wa mfumo wa uendeshaji wa mwenyeji. Zaidi ya hayo, kazi hizi zinasaidia uhifadhi wa mabadiliko ya mazingira, ambayo msimbo unaweza kutumia.

Storage

Msimbo wa Cloud Functions uhifadhiwa katika GCP Storage. Hivyo, mtu yeyote mwenye upatikanaji wa kusoma juu ya ndoo katika GCP ataweza kusoma msimbo wa Cloud Functions.
Msimbo uhifadhiwa katika ndoo kama moja ya zifuatazo:

  • gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip
  • gcf-v2-sources-<number>-<region>/<function-name>function-source.zip

Kwa mfano:
gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip

warning

Mtumiaji yeyote mwenye haki za kusoma juu ya ndoo inayohifadhi Cloud Function anaweza kusoma msimbo uliofanywa kazi.

Artifact Registry

Ikiwa kazi ya wingu imewekwa ili kontena la Docker lililotekelezwa lihifadhiwe ndani ya repo ya Artifact Registry ndani ya mradi, mtu yeyote mwenye upatikanaji wa kusoma juu ya repo ataweza kupakua picha na kuangalia msimbo wa chanzo. Kwa maelezo zaidi angalia:

GCP - Artifact Registry Enum

SA

Ikiwa haijabainishwa, kwa kawaida App Engine Default Service Account yenye idhini za Mhariri juu ya mradi itakuwa imeunganishwa na Cloud Function.

Triggers, URL & Authentication

Wakati Cloud Function inaundwa, trigger inahitaji kubainishwa. Moja ya kawaida ni HTTPS, hii itaunda URL ambapo kazi inaweza kuanzishwa kupitia kivinjari cha wavuti.
Triggers nyingine ni pub/sub, Storage, Filestore...

Muundo wa URL ni https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>

Wakati trigger ya HTTPS inatumika, pia inaonyeshwa ikiwa mpiga simu anahitaji kuwa na idhini ya IAM ili kuita Kazi au ikiwa kila mtu anaweza kuikalia:

Inside the Cloud Function

Msimbo unapakuliwa ndani ya folda /workspace ukiwa na majina sawa na yale ya faili katika Cloud Function na unatekelezwa na mtumiaji www-data.
Diski haiunganishwi kama isiyo ya kusoma.

Enumeration

bash
# List functions
gcloud functions list
gcloud functions describe <func_name> # Check triggers to see how is this function invoked
gcloud functions get-iam-policy <func_name>

# Get logs of previous runs. By default, limits to 10 lines
gcloud functions logs read <func_name> --limit [NUMBER]

# Call a function
curl https://<region>-<project>.cloudfunctions.net/<func_name>
gcloud functions call <func_name> --data='{"message": "Hello World!"}'

# If you know the name of projects you could try to BF cloud functions names

# Get events that could be used to trigger a cloud function
gcloud functions event-types list

# Access function with authentication
curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" \
-d '{}'

Kuinua Mamlaka

Katika ukurasa ufuatao, unaweza kuangalia jinsi ya kutumia ruhusa za kazi za wingu ili kuinua mamlaka:

GCP - Cloudfunctions Privesc

Ufikiaji Usio na Utambulisho

GCP - Cloud Functions Unauthenticated Enum

Baada ya Kutekeleza

GCP - Cloud Functions Post Exploitation

Kudumu

GCP - Cloud Functions Persistence

Marejeleo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks