GCP - Storage Post Exploitation

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Cloud Storage

有关 Cloud Storage 的更多信息,请查看此页面:

GCP - Storage Enum

授予公开访问

可以将访问权限授予外部用户(是否登录 GCP 均可)以访问 buckets 的内容。然而,默认情况下 bucket 会禁用公开暴露的选项:

# Disable public prevention
gcloud storage buckets update gs://BUCKET_NAME --no-public-access-prevention

# Make all objects in a bucket public
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
## I don't think you can make specific objects public just with IAM

# Make a bucket or object public (via ACL)
gcloud storage buckets update gs://BUCKET_NAME --add-acl-grant=entity=AllUsers,role=READER
gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER

如果你尝试将 ACLs 应用于已禁用 ACLs 的 bucket,你会看到此错误:ERROR: HTTPError 400: Cannot use ACL API to update bucket policy when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access

要通过浏览器访问公开的 bucket,请访问 URL https://<bucket_name>.storage.googleapis.com/https://<bucket_name>.storage.googleapis.com/<object_name>

storage.objects.delete (storage.objects.get)

删除对象:

gcloud storage rm gs://<BUCKET_NAME>/<OBJECT_NAME> --project=<PROJECT_ID>

storage.buckets.delete, storage.objects.delete & storage.objects.list

要删除一个 bucket:

gcloud storage rm -r gs://<BUCKET_NAME>

停用 HMAC 密钥

storage.hmacKeys.update 权限允许停用 HMAC 密钥,storage.hmacKeys.delete 权限允许某个身份删除与 Cloud Storage 中的服务账户关联的 HMAC 密钥。

# Deactivate
gcloud storage hmac update <ACCESS_ID> --deactivate

# Delete
gcloud storage hmac delete <ACCESS_ID>

storage.buckets.setIpFilter & storage.buckets.update

拥有 storage.buckets.setIpFilter 权限以及 storage.buckets.update 权限的主体,可以在 Cloud Storage bucket 上配置 IP 地址过滤器,指定允许访问该 bucket 资源的 IP 范围或地址。

要完全清除 IP 过滤器,可以使用以下命令:

gcloud storage buckets update gs://<BUCKET_NAME> --project=<PROJECT_ID>

要更改被过滤的 IPs,可使用以下命令:

gcloud storage buckets update gs://<BUCKET_NAME> \
--ip-filter-file=ip-filter.json \
--project=<PROJECT_ID>

JSON 文件表示过滤器本身,例如:

{
"mode": "Enabled",
"publicNetworkSource": {
"allowedIpCidrRanges": ["<IP>/<MASK>"]
},
"allowCrossOrgVpcs": false,
"allowAllServiceAgentAccess": false
}

storage.buckets.restore

使用以下方法恢复存储桶:

gcloud storage restore gs://<BUCKET_NAME>#<GENERATION> \
--project=<PROJECT_ID>

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks