GCP - Artifact Registry Privesc

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Artifact Registry

Kwa maelezo zaidi kuhusu Artifact Registry angalia:

artifactregistry.repositories.uploadArtifacts

Kwa ruhusa hii mshambuliaji anaweza kupakia toleo jipya la artifacts zenye msimbo mbaya kama picha za Docker:

# Configure docker to use gcloud to authenticate with Artifact Registry
gcloud auth configure-docker <location>-docker.pkg.dev

# tag the image to upload it
docker tag <local-img-name>:<local-tag> <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

# Upload it
docker push <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

Ilijulikana kwamba ni uwezekano wa kupakia picha mpya ya docker mbaya yenye jina na tag sawa na ile iliyopo tayari, hivyo ya zamani itapoteza tag na wakati picha hiyo yenye tag hiyo itakaposhushwa, picha mbaya itashushwa.

Pakia maktaba ya Python

Anza kwa kuunda maktaba ya kupakia (ikiwa unaweza kushusha toleo la hivi karibuni kutoka kwenye rejista unaweza kuepuka hatua hii):

Weka muundo wa mradi wako:

Unda directory mpya kwa ajili ya maktaba yako, mfano, hello_world_library.
Ndani ya directory hii, unda directory nyingine yenye jina la kifurushi chako, mfano, hello_world.
Ndani ya directory ya kifurushi chako, unda faili ya __init__.py. Faili hii inaweza kuwa tupu au inaweza kuwa na mwanzo wa maktaba yako.

mkdir hello_world_library
cd hello_world_library
mkdir hello_world
touch hello_world/__init__.py

Andika msimbo wa maktaba yako:

Ndani ya directory ya hello_world, unda faili mpya ya Python kwa ajili ya moduli yako, mfano, greet.py.
Andika kazi yako ya "Hello, World!":

# hello_world/greet.py
def say_hello():
return "Hello, World!"

Unda faili ya setup.py:

Katika mzizi wa directory yako ya hello_world_library, unda faili ya setup.py.
Faili hii ina metadata kuhusu maktaba yako na inamwambia Python jinsi ya kuisakinisha.

# setup.py
from setuptools import setup, find_packages

setup(
name='hello_world',
version='0.1',
packages=find_packages(),
install_requires=[
# Mahitaji yoyote ambayo maktaba yako inahitaji
],
)

Sasa, hebu tupakie maktaba:

Jenga kifurushi chako:

Kutoka mzizi wa directory yako ya hello_world_library, endesha:

python3 setup.py sdist bdist_wheel

Sanidi uthibitisho kwa twine (inayotumika kupakia kifurushi chako):

Hakikisha una twine iliyosakinishwa (pip install twine).
Tumia gcloud kusanidi akreditif:

```sh
twine upload --username 'oauth2accesstoken' --password "$(gcloud auth print-access-token)" --repository-url https://<location>-python.pkg.dev/<project-id>/<repo-name>/ dist/*
```

Safisha ujenzi

rm -rf dist build hello_world.egg-info

Haiwezekani kupakia maktaba ya python yenye toleo sawa na lile lililopo tayari, lakini inawezekana kupakia matoleo makubwa zaidi (au kuongeza .0 mwishoni mwa toleo ikiwa hiyo inafanya kazi - si katika python ingawa-), au kufuta toleo la mwisho na kupakia jipya (inahitajika artifactregistry.versions.delete):

gcloud artifacts versions delete <version> --repository=<repo-name> --location=<location> --package=<lib-name>

`artifactregistry.repositories.downloadArtifacts`

Kwa ruhusa hii unaweza kupakua artifacts na kutafuta taarifa nyeti na udhaifu.

Pakua picha ya Docker:

# Configure docker to use gcloud to authenticate with Artifact Registry
gcloud auth configure-docker <location>-docker.pkg.dev

# Dowload image
docker pull <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

Pakua maktaba ya python:

pip install <lib-name> --index-url "https://oauth2accesstoken:$(gcloud auth print-access-token)@<location>-python.pkg.dev/<project-id>/<repo-name>/simple/" --trusted-host <location>-python.pkg.dev --no-cache-dir

Nini kinatokea ikiwa registries za mbali na za kawaida zimeshikwa katika moja ya virtual na pakiti ipo katika zote mbili? Angalia ukurasa huu:

`artifactregistry.tags.delete`, `artifactregistry.versions.delete`, `artifactregistry.packages.delete`, (`artifactregistry.repositories.get`, `artifactregistry.tags.get`, `artifactregistry.tags.list`)

Futa artifacts kutoka kwa registry, kama picha za docker:

# Delete a docker image
gcloud artifacts docker images delete <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

`artifactregistry.repositories.delete`

Futa hifadhi kamili (hata kama ina maudhui):

gcloud artifacts repositories delete <repo-name> --location=<location>

`artifactregistry.repositories.setIamPolicy`

Mshambuliaji mwenye ruhusa hii anaweza kujipa ruhusa za kufanya baadhi ya mashambulizi ya hifadhi yaliyotajwa hapo awali.

Pivoting to other Services through Artifact Registry Read & Write

Cloud Functions

Wakati Cloud Function inaundwa, picha mpya ya docker inasukumwa kwenye Artifact Registry ya mradi. Nilijaribu kubadilisha picha hiyo na nyingine mpya, na hata kufuta picha ya sasa (na picha ya cache) na hakuna kilichobadilika, cloud function inaendelea kufanya kazi. Hivyo, labda inaweza kuwa inawezekana kutumia shambulio la Race Condition kama ilivyo na ndoo kubadilisha kontena la docker litakalotekelezwa lakini kubadilisha picha iliyohifadhiwa pekee hakuwezekani kuathiri Cloud Function.

App Engine

Ingawa App Engine inaunda picha za docker ndani ya Artifact Registry. Ilijaribiwa kwamba hata ukibadilisha picha ndani ya huduma hii na kuondoa mfano wa App Engine (hivyo mfano mpya unapelekwa) kodii inayotekelezwa haibadiliki. Inaweza kuwa inawezekana kwamba kufanya shambulio la Race Condition kama ilivyo na ndoo inaweza kuwa inawezekana kufuta kodii inayotekelezwa, lakini hii haijajaribiwa.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - AppEngine Privesc NextGCP - Batch Privesc

Last updated 3 days ago