GCP - Artifact Registry Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Artifact Registry

For more information about Artifact Registry check:

Dependency Confusion

What happens if a remote and a standard repositories are mixed in a virtual one and a package exists in both?
- The one with the highest priority set in the virtual repository is used
- If the priority is the same:
  - If the version is the same, the policy name alphabetically first in the virtual repository is used
  - If not, the highest version is used

Therefore, it's possible to abuse a highest version (dependency confusion) in a public package registry if the remote repository has a higher or same priority

This technique can be useful for persistence and unauthenticated access as to abuse it it just require to know a library name stored in Artifact Registry and create that same library in the public repository (PyPi for python for example) with a higher version.

For persistence these are the steps you need to follow:

Requirements: A virtual repository must exist and be used, an internal package with a name that doesn't exist in the public repository must be used.
Create a remote repository if it doesn't exist
Add the remote repository to the virtual repository
Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository. Run something like:
- gcloud artifacts repositories update --upstream-policy-file ...
Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!

For more information about dependency confusion check:

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - App Engine Persistence NextGCP - BigQuery Persistence

Last updated 3 months ago

Artifact Registry

For more information about Artifact Registry check:

Dependency Confusion

What happens if a remote and a standard repositories are mixed in a virtual one and a package exists in both?

The one with the highest priority set in the virtual repository is used
If the priority is the same:
- If the version is the same, the policy name alphabetically first in the virtual repository is used
- If not, the highest version is used

Therefore, it's possible to abuse a highest version (dependency confusion) in a public package registry if the remote repository has a higher or same priority

For persistence these are the steps you need to follow:

Requirements: A virtual repository must exist and be used, an internal package with a name that doesn't exist in the public repository must be used.

Create a remote repository if it doesn't exist

Add the remote repository to the virtual repository

Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository. Run something like:

gcloud artifacts repositories update --upstream-policy-file ...

Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!

For more information about dependency confusion check: