GCP - IAM Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Pata maelezo zaidi kuhusu IAM katika:
iam.roles.update
(iam.roles.get
)Mshambuliaji mwenye ruhusa zilizoelezwa ataweza kuboresha jukumu lililotolewa kwako na kukupa ruhusa za ziada kwa rasilimali nyingine kama:
You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.
iam.serviceAccounts.getAccessToken
(iam.serviceAccounts.get
)Mshambuliaji mwenye ruhusa zilizoelezwa ataweza kuomba tokeni ya ufikiaji inayomilikiwa na Akaunti ya Huduma, hivyo inawezekana kuomba tokeni ya ufikiaji ya Akaunti ya Huduma yenye ruhusa zaidi kuliko zetu.
You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.
iam.serviceAccountKeys.create
An attacker with the mentioned permissions will be able to kuunda ufunguo unaosimamiwa na mtumiaji kwa Akaunti ya Huduma, which will allow us to access GCP as that Service Account.
You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.
Note that iam.serviceAccountKeys.update
haitafanya kazi kubadilisha funguo ya SA kwa sababu ili kufanya hivyo ruhusa iam.serviceAccountKeys.create
inahitajika pia.
iam.serviceAccounts.implicitDelegation
If you have the iam.serviceAccounts.implicitDelegation
permission on a Service Account that has the iam.serviceAccounts.getAccessToken
permission on a third Service Account, then you can use implicitDelegation to create a token for that third Service Account. Here is a diagram to help explain.
Note that according to the documentation, the delegation of gcloud
only works to generate a token using the generateAccessToken() method. So here you have how to get a token using the API directly:
You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.
iam.serviceAccounts.signBlob
Mshambuliaji mwenye ruhusa zilizotajwa ataweza kusaini payloads za kiholela katika GCP. Hivyo itakuwa inawezekana kuunda JWT isiyo na sahihi ya SA na kisha kuisafirisha kama blob ili kupata JWT iliyosainiwa na SA tunayoelekeza. Kwa maelezo zaidi soma hii.
You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here and here. For more information check the original research.
iam.serviceAccounts.signJwt
Mshambuliaji mwenye ruhusa zilizotajwa ataweza kusaini tokens za wavuti za JSON (JWTs) zilizo na muundo mzuri. Tofauti na njia ya awali ni kwamba badala ya kumfanya google asaini blob inayoshikilia JWT, tunatumia njia ya signJWT ambayo tayari inatarajia JWT. Hii inafanya iwe rahisi kutumia lakini unaweza kusaini JWT tu badala ya bytes zozote.
You can find a script to automate the creation, exploit and cleaning of a vuln environment here and a python script to abuse this privilege here. For more information check the original research.
iam.serviceAccounts.setIamPolicy
Mshambuliaji mwenye ruhusa zilizotajwa ataweza kuongeza sera za IAM kwa akaunti za huduma. Unaweza kuitumia vibaya ili kujipa ruhusa unazohitaji ili kujifanya kuwa akaunti ya huduma. Katika mfano ufuatao tunajipa nafasi ya roles/iam.serviceAccountTokenCreator
juu ya SA ya kuvutia:
You can find a script to automate the creation, exploit and cleaning of a vuln environment here.
iam.serviceAccounts.actAs
The iam.serviceAccounts.actAs permission is like the iam:PassRole permission from AWS. It's essential for executing tasks, like initiating a Compute Engine instance, as it grants the ability to "actAs" a Service Account, ensuring secure permission management. Without this, users might gain undue access. Additionally, exploiting the iam.serviceAccounts.actAs involves various methods, each requiring a set of permissions, contrasting with other methods that need just one.
Kuiga huduma ya akaunti kunaweza kuwa na manufaa sana ili kupata mamlaka mpya na bora. Kuna njia tatu ambazo unaweza kuiga huduma nyingine ya akaunti:
Uthibitishaji ukitumia funguo za kibinafsi za RSA (zilizoelezwa hapo juu)
Uidhinishaji ukitumia sera za Cloud IAM (zilizoelezwa hapa)
Kuweka kazi kwenye huduma za GCP (inafaa zaidi kwa kuathiri akaunti ya mtumiaji)
iam.serviceAccounts.getOpenIdToken
Mshambuliaji mwenye ruhusa zilizoelezwa atakuwa na uwezo wa kuunda OpenID JWT. Hizi zinatumika kuthibitisha utambulisho na hazihitaji kuwa na uidhinishaji wowote wa kimya dhidi ya rasilimali.
Kulingana na hii post ya kuvutia, ni muhimu kuonyesha hadhira (huduma ambapo unataka kutumia tokeni kuthibitisha) na utapokea JWT iliyosainiwa na google ikionyesha huduma ya akaunti na hadhira ya JWT.
You can generate an OpenIDToken (if you have the access) with:
Kisha unaweza tu kuitumia kufikia huduma na:
Baadhi ya huduma zinazounga mkono uthibitishaji kupitia aina hii ya token ni:
Google Cloud Endpoints (ikiwa unatumia Google OIDC)
Unaweza kupata mfano wa jinsi ya kuunda token ya OpenID kwa niaba ya akaunti ya huduma hapa.
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)