GCP - Generic Permissions Privesc

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

通用的有趣权限

*.setIamPolicy

If you owns a user that has the setIamPolicy permission in a resource you can escalate privileges in that resource because you will be able to change the IAM policy of that resource and give you more privileges over it.
如果你拥有一个在某个资源上具有 setIamPolicy 权限的用户,你可以在该资源上 escalate privileges in that resource,因为你可以更改该资源的 IAM 策略并授予自己对此资源的更多权限。
This permission can also allow to escalate to other principals if the resource allow to execute code and the iam.ServiceAccounts.actAs is not necessary.
如果该资源允许执行代码且不需要 iam.ServiceAccounts.actAs,此权限还可能允许你 escalate to other principals

  • cloudfunctions.functions.setIamPolicy
  • 修改 Cloud Function 的策略以允许你自己调用它。

There are tens of resources types with this kind of permission, you can find all of them in https://cloud.google.com/iam/docs/permissions-reference searching for setIamPolicy.
有数十种资源类型具有此类权限,你可以在 https://cloud.google.com/iam/docs/permissions-reference 中搜索 setIamPolicy 来查找所有这些资源。

*.create, *.update

These permissions can be very useful to try to escalate privileges in resources by creating a new one or updating a new one.
这些权限在通过创建新资源或更新现有资源来尝试 escalate privileges in resources 时非常有用。
These can of permissions are specially useful if you also has the permission iam.serviceAccounts.actAs over a Service Account and the resource you have .create/.update over can attach a service account.
如果你还对某个 Service Account 拥有 iam.serviceAccounts.actAs 权限,且你拥有 .create/.update 权限的资源可以附加服务账户,这类权限尤其有用。

*ServiceAccount*

This permission will usually let you access or modify a Service Account in some resource (e.g.: compute.instances.setServiceAccount). This could lead to a privilege escalation vector, but it will depend on each case.
该权限通常允许你访问或修改某个资源中的 Service Account(例如:compute.instances.setServiceAccount)。这可能导致 privilege escalation 向量,但要视具体情况而定。

iam.ServiceAccounts.actAs

This permission will let you attach a Service Account to a resource that supports it (e.g.: Compute Engine VM, Cloud Function, Cloud Run, etc).
该权限允许你将一个 Service Account 附加到支持该功能的资源(例如:Compute Engine VM、Cloud Function、Cloud Run 等)。
If you can attach a Service Account that has more privileges than your user to a resource that can execute code, you will be able to escalate your privileges by executing code with that Service Account.
如果你能够将一个权限高于你的用户的 Service Account 附加到能够执行代码的资源上,你就可以通过使用该 Service Account 执行代码来 escalate your privileges。

Search in Cloud Hacktricks for iam.ServiceAccounts.actAs to find several examples of how to escalate privileges with this permission.
在 Cloud Hacktricks 中搜索 iam.ServiceAccounts.actAs,可以找到多个如何使用此权限来 escalate privileges 的示例。

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks