GCP - Cloudbuild Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

cloudbuild

Kwa maelezo zaidi kuhusu Cloud Build angalia:

GCP - Cloud Build Enum

`cloudbuild.builds.create`

Kwa ruhusa hii unaweza kuwasilisha cloud build. Mashine ya cloudbuild itakuwa na token ya Cloudbuild Service Account katika mfumo wake wa faili kwa default: <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com. Hata hivyo, unaweza kuonyesha akaunti yoyote ya huduma ndani ya mradi katika usanidi wa cloudbuild. Hivyo, unaweza kufanya mashine hiyo kuhamasisha token hiyo kwenye seva yako au kupata shell ya kurudi ndani yake na kujipatia token hiyo (faili inayoshikilia token inaweza kubadilika).

Unaweza kupata script ya asili ya exploit hapa kwenye GitHub (lakini eneo inachukua token kutoka halikufanya kazi kwangu). Hivyo, angalia script ya kuandaa kuunda, kutumia na kusafisha mazingira yenye udhaifu hapa na script ya python kupata shell ya kurudi ndani ya mashine ya cloudbuild na kuiba token hiyo hapa (katika msimbo unaweza kupata jinsi ya kuonyesha akaunti nyingine za huduma).

Kwa maelezo ya kina zaidi, tembelea https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/

`cloudbuild.builds.update`

Inawezekana kwa ruhusa hii utaweza kupdate cloud build na kuiba token ya akaunti ya huduma kama ilivyofanywa kwa ruhusa ya awali (lakini kwa bahati mbaya wakati wa kuandika hii sikuweza kupata njia yoyote ya kuita API hiyo).

TODO

`cloudbuild.repositories.accessReadToken`

Kwa ruhusa hii mtumiaji anaweza kupata token ya ufikiaji wa kusoma inayotumika kufikia hazina:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{}' \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadToken"

`cloudbuild.repositories.accessReadWriteToken`

Kwa ruhusa hii, mtumiaji anaweza kupata token ya ufikiaji wa kusoma na kuandika inayotumika kufikia hifadhi:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{}' \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadWriteToken"

`cloudbuild.connections.fetchLinkableRepositories`

Kwa ruhusa hii unaweza kupata repos ambazo muunganisho una ufikiaji:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>:fetchLinkableRepositories"

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousGCP - ClientAuthConfig Privesc NextGCP - Cloudfunctions Privesc

Last updated 1 month ago