GCP - Storage Post Exploitation

Wolk Berging

Vir meer inligting oor Wolk Berging, kyk na hierdie bladsy:

Gee Publieke Toegang

Dit is moontlik om eksterne gebruikers (ingelogde GCP of nie) toegang tot emmerinhoud te gee. Dit is egter, per standaard, dat die emmer die opsie om 'n emmer publiek bloot te stel, gedeaktiveer sal hê:

# Disable public prevention
gcloud storage buckets update gs://BUCKET_NAME --no-public-access-prevention

# Make all objects in a bucket public
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
## I don't think you can make specific objects public just with IAM

# Make a bucket or object public (via ACL)
gcloud storage buckets update gs://BUCKET_NAME --add-acl-grant=entity=AllUsers,role=READER
gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER

As jy probeer om ACLs aan 'n emmer met gedeaktiveerde ACLs toe te ken, sal jy hierdie fout vind: ERROR: HTTPError 400: Cannot use ACL API to update bucket policy when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access

Om toegang te verkry tot oop emmers via 'n blaaier, toegang die URL https://<bucket_name>.storage.googleapis.com/ of https://<bucket_name>.storage.googleapis.com/<object_name>