HackTricks CloudGCP - IAM, Wakuu & Org Unauthenticated Enum
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Iam & GCP Wakuu
Kwa maelezo zaidi angalia:
GCP - IAM, Principals & Org Policies Enum
Je, jina la kikoa linatumika katika Workspace?
- Angalia rekodi za DNS
Ikiwa ina rekodi ya google-site-verification ni uwezekano kwamba inatumia (au ilitumia) Workspace:
dig txt hacktricks.xyz
[...]
hacktricks.xyz. 3600 IN TXT "google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz. 3600 IN TXT "google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz. 300 IN TXT "v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"
Ikiwa kitu kama include:_spf.google.com pia kinaonekana kinathibitisha hilo (kumbuka kwamba ikiwa hakionekani hakikatai kwani kikoa kinaweza kuwa katika Workspace bila kutumia gmail kama mtoa huduma wa barua).
- Jaribu kuanzisha Workspace na kikoa hicho
Chaguo lingine ni kujaribu kuanzisha Workspace kwa kutumia kikoa, ikiwa kinalalamika kwamba kikoa tayari kinatumika (kama katika picha), unajua tayari kinatumika!
Ili kujaribu kuanzisha kikoa cha Workspace fuata: https://workspace.google.com/business/signup/welcome
.png)
- Jaribu kurejesha nenosiri la barua pepe kwa kutumia kikoa hicho
Ikiwa unajua anwani yoyote halali ya barua pepe inayotumika katika kikoa hicho (kama: admin@email.com au info@email.com) unaweza kujaribu kurejesha akaunti katika https://accounts.google.com/signin/v2/recoveryidentifier, na ikiwa jaribio halionyeshi kosa linaloashiria kwamba Google haina wazo kuhusu akaunti hiyo, basi inatumia Workspace.
Kuorodhesha barua pepe na akaunti za huduma
Inawezekana kuorodhesha barua pepe halali za kikoa cha Workspace na barua pepe za SA kwa kujaribu kuwapa ruhusa na kuangalia ujumbe wa makosa. Kwa hili unahitaji tu kuwa na ruhusa ya kutoa ruhusa kwa mradi (ambayo inaweza kuwa inamilikiwa tu na wewe).
Kumbuka kwamba ili kuziangalia lakini hata kama zipo usiwape ruhusa unaweza kutumia aina serviceAccount wakati ni user na user wakati ni SA:
# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
# but indicating it's a service account
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
--role='roles/viewer'
## Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.
# Now try with a valid email
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:support@hacktricks.xyz' \
--role='roles/viewer'
# Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.
Njia ya haraka ya kuhesabu Akaunti za Huduma katika miradi inayojulikana ni kujaribu kufikia URL: https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email>
Kwa mfano: https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com
Ikiwa jibu ni 403, inamaanisha kuwa SA ipo. Lakini ikiwa jibu ni 404 inamaanisha kuwa haipo:
// Exists
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"status": "PERMISSION_DENIED"
}
}
// Doesn't exist
{
"error": {
"code": 404,
"message": "Unknown service account",
"status": "NOT_FOUND"
}
}
Kumbuka jinsi wakati barua pepe ya mtumiaji ilikuwa halali ujumbe wa kosa ulionyesha kuwa aina yao si halali, hivyo tulifanikiwa kugundua kwamba barua pepe support@hacktricks.xyz inapatikana bila kutoa haki zozote.
Unaweza kufanya vivyo hivyo na Akaunti za Huduma ukitumia aina user: badala ya serviceAccount::
# Non existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.
# Existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.