GCP - IAM, Principals & Org Unauthenticated Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Iam & GCP Principals

Vir meer inligting, kyk:

GCP - IAM, Principals & Org Policies Enum

Word die domein in Workspace gebruik?

Kontroleer DNS rekords

As dit 'n google-site-verification rekord het, is dit waarskynlik dat dit (of dit was) Workspace gebruik:

dig txt hacktricks.xyz

[...]
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz.		300	IN	TXT	"v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"

If something like include:_spf.google.com also appears it confirms it (note that if it doesn't appear it doesn't denies it as a domain can be in Workspace without using gmail as mail provider).

Probeer om 'n Workspace met daardie domein op te stel

Another option is to try to setup a Workspace using the domain, if it kla dat die domein reeds gebruik word (like in the image), you know it's already used!

To try to setup a Workspace domain follow: https://workspace.google.com/business/signup/welcome

Probeer om die wagwoord van 'n e-pos te herstel met daardie domein

If you know any valid email address being use din that domain (like: admin@email.com or info@email.com) you can try to herstel die rekening in https://accounts.google.com/signin/v2/recoveryidentifier, and if try doesn't shows an error indicating that Google has no idea about that account, then it's using Workspace.

Enumereer e-posse en diensrekeninge

It's possible to enumereer geldige e-posse van 'n Workspace-domein en SA-e-posse by trying to assign them permissions and checking the error messages. For this you just need to have permissions to assign permission to a project (which can be just owned by you).

Note that to check them but even if they exist not grant them a permission you can use the type serviceAccount when it's an user and user when it's a SA:

# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
# but indicating it's a service account
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
--role='roles/viewer'
## Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.

# Now try with a valid email
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:support@hacktricks.xyz' \
--role='roles/viewer'
# Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.

'n Sneller manier om diensrekeninge in bekende projekte te enumereer, is net om te probeer om toegang te verkry tot die URL: https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email> Byvoorbeeld: https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com

As die antwoord 'n 403 is, beteken dit dat die SA bestaan. Maar as die antwoord 'n 404 is, beteken dit dat dit nie bestaan nie:

// Exists
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"status": "PERMISSION_DENIED"
}
}

// Doesn't exist
{
"error": {
"code": 404,
"message": "Unknown service account",
"status": "NOT_FOUND"
}
}

Let op hoe wanneer die gebruiker se e-pos geldig was, die foutboodskap aangedui het dat hulle tipe nie is nie, so ons het daarin geslaag om te ontdek dat die e-pos support@hacktricks.xyz bestaan sonder om enige voorregte toe te ken.

Jy kan die selfde doen met Diensrekeninge deur die tipe user: te gebruik in plaas van serviceAccount::

# Non existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.

# Existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.

Ondersteun HackTricks

Kyk na die subskripsie planne!
Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

PreviousGCP - Compute Unauthenticated Enum NextGCP - Source Repositories Unauthenticated Enum

Last updated 3 days ago