GCP - Artifact Registry Privesc

Support HackTricks

Artifact Registry

Kwa maelezo zaidi kuhusu Artifact Registry angalia:

artifactregistry.repositories.uploadArtifacts

Kwa ruhusa hii mshambuliaji anaweza kupakia toleo jipya la artefacts zenye msimbo mbaya kama picha za Docker:

# Configure docker to use gcloud to authenticate with Artifact Registry
gcloud auth configure-docker <location>-docker.pkg.dev

# tag the image to upload it
docker tag <local-img-name>:<local-tag> <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

# Upload it
docker push <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

Ilijulikana kwamba ni uwezekano wa kupakia picha mpya ya docker mbaya yenye jina na tag sawa na ile iliyopo tayari, hivyo ya zamani itapoteza tag na wakati picha hiyo yenye tag hiyo itakaposhushwa picha mbaya itashushwa.

Pakia maktaba ya Python

Anza kwa kuunda maktaba ya kupakia (ikiwa unaweza kupakua toleo la hivi karibuni kutoka kwenye rejista unaweza kuepuka hatua hii):

  1. Weka muundo wa mradi wako:

  • Unda directory mpya kwa ajili ya maktaba yako, mfano, hello_world_library.

  • Ndani ya directory hii, unda directory nyingine yenye jina la kifurushi chako, mfano, hello_world.

  • Ndani ya directory ya kifurushi chako, unda faili ya __init__.py. Faili hii inaweza kuwa tupu au inaweza kuwa na mwanzo wa kifurushi chako.

mkdir hello_world_library
cd hello_world_library
mkdir hello_world
touch hello_world/__init__.py
  1. Andika msimbo wa maktaba yako:

  • Ndani ya directory ya hello_world, unda faili mpya ya Python kwa ajili ya moduli yako, mfano, greet.py.

  • Andika kazi yako ya "Hello, World!":

# hello_world/greet.py
def say_hello():
return "Hello, World!"
  1. Unda faili ya setup.py:

  • Katika mzizi wa directory yako ya hello_world_library, unda faili ya setup.py.

  • Faili hii ina metadata kuhusu maktaba yako na inamwambia Python jinsi ya kuisakinisha.

# setup.py
from setuptools import setup, find_packages

setup(
name='hello_world',
version='0.1',
packages=find_packages(),
install_requires=[
# Mahitaji yoyote ambayo maktaba yako inahitaji
],
)

Sasa, hebu tupakie maktaba:

  1. Jenga kifurushi chako:

  • Kutoka mzizi wa directory yako ya hello_world_library, endesha:

python3 setup.py sdist bdist_wheel
  1. Sanidi uthibitisho kwa twine (inayotumika kupakia kifurushi chako):

  • Hakikisha una twine iliyosakinishwa (pip install twine).

  • Tumia gcloud kusanidi akreditif:

```sh
twine upload --username 'oauth2accesstoken' --password "$(gcloud auth print-access-token)" --repository-url https://<location>-python.pkg.dev/<project-id>/<repo-name>/ dist/*
```
  1. Safisha ujenzi

rm -rf dist build hello_world.egg-info

Haiwezekani kupakia maktaba ya python yenye toleo sawa na lile lililopo tayari, lakini inawezekana kupakia matoleo makubwa zaidi (au kuongeza .0 mwishoni mwa toleo ikiwa hiyo inafanya kazi - si katika python ingawa-), au kufuta toleo la mwisho na kupakia jipya (inahitajika artifactregistry.versions.delete):

gcloud artifacts versions delete <version> --repository=<repo-name> --location=<location> --package=<lib-name>

artifactregistry.repositories.downloadArtifacts

Kwa ruhusa hii unaweza kupakua artifacts na kutafuta taarifa nyeti na mapungufu.

Pakua picha ya Docker:

# Configure docker to use gcloud to authenticate with Artifact Registry
gcloud auth configure-docker <location>-docker.pkg.dev

# Dowload image
docker pull <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

Pakua maktaba ya python:

pip install <lib-name> --index-url "https://oauth2accesstoken:$(gcloud auth print-access-token)@<location>-python.pkg.dev/<project-id>/<repo-name>/simple/" --trusted-host <location>-python.pkg.dev --no-cache-dir
  • Nini kinatokea ikiwa registries za mbali na za kawaida zimeshikwa katika moja ya virtual na pakiti ipo katika zote mbili? Angalia ukurasa huu:

artifactregistry.tags.delete, artifactregistry.versions.delete, artifactregistry.packages.delete, (artifactregistry.repositories.get, artifactregistry.tags.get, artifactregistry.tags.list)

Futa artifacts kutoka kwa registry, kama picha za docker:

# Delete a docker image
gcloud artifacts docker images delete <location>-docker.pkg.dev/<proj-name>/<repo-name>/<img-name>:<tag>

artifactregistry.repositories.delete

Futa hifadhi kamili (hata kama ina maudhui):

gcloud artifacts repositories delete <repo-name> --location=<location>

artifactregistry.repositories.setIamPolicy

Mshambuliaji mwenye ruhusa hii anaweza kujipa ruhusa za kufanya baadhi ya mashambulizi ya hifadhi yaliyotajwa hapo awali.

Pivoting to other Services through Artifact Registry Read & Write

  • Cloud Functions

Wakati Cloud Function inaundwa, picha mpya ya docker inasukumwa kwenye Artifact Registry ya mradi. Nilijaribu kubadilisha picha hiyo na nyingine mpya, na hata kufuta picha ya sasa (na picha ya cache) na hakuna kilichobadilika, cloud function inaendelea kufanya kazi. Hivyo, labda inaweza kuwa inawezekana kutumia shambulio la Race Condition kama ilivyo kwa bucket kubadilisha kontena la docker litakalotekelezwa lakini kubadilisha picha iliyohifadhiwa pekee hakuwezekani kuathiri Cloud Function.

  • App Engine

Ingawa App Engine inaunda picha za docker ndani ya Artifact Registry. Ilijaribiwa kwamba hata ukibadilisha picha ndani ya huduma hii na kuondoa mfano wa App Engine (hivyo mfano mpya unapelekwa) kodii inayotekelezwa haibadiliki. Inaweza kuwa inawezekana kwamba kufanya shambulio la Race Condition kama ilivyo kwa buckets inaweza kuwa inawezekana kufuta kodii inayotekelezwa, lakini hii haijajaribiwa.

Support HackTricks

Last updated