GCP - AppEngine Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

App Engine

Kwa maelezo zaidi kuhusu App Engine angalia:

GCP - App Engine Enum

`appengine.applications.get`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.operations.list`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.create`, `appengine.versions.get`, `appengine.versions.list`, `cloudbuild.builds.get`,`iam.serviceAccounts.actAs`, `resourcemanager.projects.get`, `storage.objects.create`, `storage.objects.list`

Hizi ndizo ruhusa zinazohitajika ili kupeleka App kwa kutumia gcloud cli. Huenda get na list zinaweza kuepukwa.

Unaweza kupata mifano ya msimbo wa python katika https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine

Kwa kawaida, jina la huduma ya App litakuwa default, na kunaweza kuwa na instance 1 tu yenye jina sawa. Ili kubadilisha na kuunda App ya pili, katika app.yaml, badilisha thamani ya ufunguo wa mzizi kuwa kitu kama service: my-second-app

cd python-docs-samples/appengine/flexible/hello_world
gcloud app deploy #Upload and start application inside the folder

Give it at least 10-15min, if it doesn't work call deploy another of times and wait some minutes.

Ni uwezekano wa kuashiria Akaunti ya Huduma kutumia lakini kwa kawaida, SA ya default ya App Engine inatumika.

URL ya programu ni kitu kama https://<proj-name>.oa.r.appspot.com/ au https://<service_name>-dot-<proj-name>.oa.r.appspot.com

Update equivalent permissions

Unaweza kuwa na ruhusa za kutosha kuboresha AppEngine lakini si kuunda mpya. Katika hali hiyo, hii ndiyo jinsi unavyoweza kuboresha App Engine ya sasa:

# Find the code of the App Engine in the buckets
gsutil ls

# Download code
mkdir /tmp/appengine2
cd /tmp/appengine2
## In this case it was found in this custom bucket but you could also use the
## buckets generated when the App Engine is created
gsutil cp gs://appengine-lab-1-gcp-labs-4t04m0i6-3a97003354979ef6/labs_appengine_1_premissions_privesc.zip .
unzip labs_appengine_1_premissions_privesc.zip

## Now modify the code..

## If you don't have an app.yaml, create one like:
cat >> app.yaml <<EOF
runtime: python312

entrypoint: gunicorn -b :\$PORT main:app

env_variables:
A_VARIABLE: "value"
EOF

# Deploy the changes
gcloud app deploy

# Update the SA if you need it (and if you have actas permissions)
gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com

Ikiwa tayari umepata AppEngine na una ruhusa appengine.applications.update na actAs juu ya akaunti ya huduma unayotumia, unaweza kubadilisha akaunti ya huduma inayotumiwa na AppEngine kwa:

gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com

`appengine.instances.enableDebug`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.get`, `appengine.versions.list`, `compute.projects.get`

Kwa ruhusa hizi, inawezekana kuingia kupitia ssh katika App Engine instances za aina flexible (sio standard). Baadhi ya ruhusa za list na get huenda zisihitajike kweli.

gcloud app instances ssh --service <app-name> --version <version-id> <ID>

`appengine.applications.update`, `appengine.operations.get`

Nadhani hii inabadilisha tu SA ya nyuma ambayo google itatumia kuweka mipango, hivyo sidhani unaweza kutumia hii kuiba akaunti ya huduma.

gcloud app update --service-account=<sa_email>

`appengine.versions.getFileContents`, `appengine.versions.update`

Sijui jinsi ya kutumia ruhusa hizi au kama zinafaa (kumbuka kwamba unapobadilisha msimbo toleo jipya linaundwa hivyo sijui kama unaweza tu kubadilisha msimbo au jukumu la IAM la moja, lakini nadhani unapaswa kuwa na uwezo wa kufanya hivyo, labda kubadilisha msimbo ndani ya bucket??).

Upatikanaji wa Kuandika juu ya buckets

Kama ilivyotajwa, toleo la appengine linaunda data fulani ndani ya bucket yenye muundo wa jina: staging.<project-id>.appspot.com. Kumbuka kwamba haiwezekani kuchukua bucket hii kabla kwa sababu watumiaji wa GCP hawajapewa ruhusa ya kuunda buckets kwa kutumia jina la kikoa appspot.com.

Hata hivyo, kwa upatikanaji wa kusoma na kuandika juu ya bucket hii, inawezekana kupandisha ruhusa kwa SA iliyoambatanishwa na toleo la AppEngine kwa kufuatilia bucket na wakati wowote mabadiliko yanapofanywa, badilisha kwa haraka iwezekanavyo msimbo. Kwa njia hii, kontena linaloundwa kutoka kwa msimbo huu litafanya kazi ya msimbo wa nyuma.

Kwa maelezo zaidi na PoC angalia habari muhimu kutoka ukurasa huu:

GCP - Storage Privesc

Upatikanaji wa Kuandika juu ya Katalogi ya Vitu

Ingawa App Engine inaunda picha za docker ndani ya Katalogi ya Vitu. Ilijaribiwa kwamba hata ukibadilisha picha ndani ya huduma hii na kuondoa mfano wa App Engine (hivyo mfano mpya unapelekwa) msimbo unaotekelezwa haubadilika. Inaweza kuwa inawezekana kwamba kufanya shambulio la Race Condition kama ilivyo na buckets inaweza kuwa inawezekana kufuta msimbo unaotekelezwa, lakini hii haijajaribiwa.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks