GCP - IAM, Principals & Org Unauthenticated Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Iam & GCP Principals

Για περισσότερες πληροφορίες ελέγξτε:

GCP - IAM, Principals & Org Policies Enum

Χρησιμοποιείται το domain στο Workspace;

Ελέγξτε τα DNS records

Αν έχει ένα google-site-verification record είναι πιθανό ότι χρησιμοποιεί (ή χρησιμοποιούσε) το Workspace:

dig txt hacktricks.xyz

[...]
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz.		300	IN	TXT	"v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"

If something like include:_spf.google.com also appears it confirms it (note that if it doesn't appear it doesn't denies it as a domain can be in Workspace without using gmail as mail provider).

Δοκιμάστε να ρυθμίσετε ένα Workspace με αυτό το domain

Another option is to try to setup a Workspace using the domain, if it παραπονιέται ότι το domain χρησιμοποιείται ήδη (like in the image), you know it's already used!

To try to setup a Workspace domain follow: https://workspace.google.com/business/signup/welcome

Δοκιμάστε να ανακτήσετε τον κωδικό πρόσβασης ενός email χρησιμοποιώντας αυτό το domain

If you know any valid email address being use din that domain (like: admin@email.com or info@email.com) you can try to ανακτήσετε τον λογαριασμό in https://accounts.google.com/signin/v2/recoveryidentifier, and if try doesn't shows an error indicating that Google has no idea about that account, then it's using Workspace.

Enumerate emails and service accounts

It's possible to enumerate valid emails of a Workspace domain and SA emails by trying to assign them permissions and checking the error messages. For this you just need to have permissions to assign permission to a project (which can be just owned by you).

Note that to check them but even if they exist not grant them a permission you can use the type serviceAccount when it's an user and user when it's a SA:

# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
# but indicating it's a service account
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
--role='roles/viewer'
## Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.

# Now try with a valid email
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:support@hacktricks.xyz' \
--role='roles/viewer'
# Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.

Ένας ταχύτερος τρόπος για να καταμετρήσετε τους Λογαριασμούς Υπηρεσιών σε γνωστά έργα είναι απλώς να προσπαθήσετε να αποκτήσετε πρόσβαση στη διεύθυνση URL: https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email> Για παράδειγμα: https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com

Εάν η απάντηση είναι 403, σημαίνει ότι ο Λογαριασμός Υπηρεσίας υπάρχει. Αλλά αν η απάντηση είναι 404, σημαίνει ότι δεν υπάρχει:

// Exists
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"status": "PERMISSION_DENIED"
}
}

// Doesn't exist
{
"error": {
"code": 404,
"message": "Unknown service account",
"status": "NOT_FOUND"
}
}

Σημειώστε πώς όταν το email του χρήστη ήταν έγκυρο, το μήνυμα σφάλματος υποδείκνυε ότι ο τύπος δεν είναι, οπότε καταφέραμε να ανακαλύψουμε ότι το email support@hacktricks.xyz υπάρχει χωρίς να του παραχωρήσουμε κανένα προνόμιο.

Μπορείτε να κάνετε το ίδιο με τους Λογαριασμούς Υπηρεσίας χρησιμοποιώντας τον τύπο user: αντί για serviceAccount::

# Non existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.

# Existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.

Υποστήριξη HackTricks

Ελέγξτε τα σχέδια συνδρομής!
Εγγραφείτε στην 💬 ομάδα Discord ή στην ομάδα telegram ή ακολουθήστε μας στο Twitter 🐦 @hacktricks_live.
Μοιραστείτε κόλπα hacking υποβάλλοντας PRs στα HackTricks και HackTricks Cloud github repos.

PreviousGCP - Compute Unauthenticated Enum NextGCP - Source Repositories Unauthenticated Enum

Last updated 3 days ago