GCP - Artifact Registry Persistence

Support HackTricks

Artifact Registry

For more information about Artifact Registry check:

GCP - Artifact Registry Enum

Dependency Confusion

  • What happens if a remote and a standard repositories are mixed in a virtual one and a package exists in both?

    • The one with the highest priority set in the virtual repository is used

    • If the priority is the same:

      • If the version is the same, the policy name alphabetically first in the virtual repository is used

      • If not, the highest version is used

Therefore, it's possible to abuse a highest version (dependency confusion) in a public package registry if the remote repository has a higher or same priority

This technique can be useful for persistence and unauthenticated access as to abuse it it just require to know a library name stored in Artifact Registry and create that same library in the public repository (PyPi for python for example) with a higher version.

For persistence these are the steps you need to follow:

  • Requirements: A virtual repository must exist and be used, an internal package with a name that doesn't exist in the public repository must be used.

  • Create a remote repository if it doesn't exist

  • Add the remote repository to the virtual repository

  • Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository. Run something like:

  • Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!

For more information about dependency confusion check:

Support HackTricks

Last updated