GCP - KMS Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

KMS

Taarifa kuhusu KMS:

GCP - KMS Enum

Kumbuka kwamba katika KMS idhini hazirithi tu kutoka kwa Mashirika, Folda na Miradi bali pia kutoka kwa Keyrings.

`cloudkms.cryptoKeyVersions.useToDecrypt`

Unaweza kutumia idhini hii kufungua taarifa kwa kutumia funguo ambayo una idhini hii juu yake.

gcloud kms decrypt \
--location=[LOCATION] \
--keyring=[KEYRING_NAME] \
--key=[KEY_NAME] \
--version=[KEY_VERSION] \
--ciphertext-file=[ENCRYPTED_FILE_PATH] \
--plaintext-file=[DECRYPTED_FILE_PATH]

`cloudkms.cryptoKeys.setIamPolicy`

Mshambuliaji mwenye ruhusa hii anaweza kujipe ruhusa za kutumia funguo kufungua taarifa.

gcloud kms keys add-iam-policy-binding [KEY_NAME] \
--location [LOCATION] \
--keyring [KEYRING_NAME] \
--member [MEMBER] \
--role roles/cloudkms.cryptoKeyDecrypter

`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation`

Hapa kuna ufafanuzi wa kimsingi wa jinsi ugawaji huu unavyofanya kazi:

Akaunti ya Huduma A ina ufikiaji wa moja kwa moja wa kufungua kwa kutumia funguo maalum katika KMS.
Akaunti ya Huduma B inapata ruhusa ya useToDecryptViaDelegation. Hii inaruhusu kuomba KMS kufungua data kwa niaba ya Akaunti ya Huduma A.

Matumizi ya ruhusa hii ni ya kimya kimya katika njia ambayo huduma ya KMS inakagua ruhusa wakati ombi la kufungua linapotolewa.

Unapofanya ombi la kawaida la kufungua kwa kutumia Google Cloud KMS API (katika Python au lugha nyingine), huduma inakagua ikiwa akaunti ya huduma inayohitaji ina ruhusa zinazohitajika. Ikiwa ombi linatolewa na akaunti ya huduma yenye ruhusa ya useToDecryptViaDelegation, KMS inathibitisha ikiwa akaunti hii inaruhusiwa kuomba kufungua kwa niaba ya chombo kinachomiliki funguo.

Kuweka Mambo kwa ajili ya Ugawaji

Bainisha Jukumu Maalum: Tengeneza faili ya YAML (mfano, custom_role.yaml) inayobainisha jukumu maalum. Faili hii inapaswa kujumuisha ruhusa ya cloudkms.cryptoKeyVersions.useToDecryptViaDelegation. Hapa kuna mfano wa jinsi faili hii inaweza kuonekana:

title: "KMS Decryption via Delegation"
description: "Allows decryption via delegation"
stage: "GA"
includedPermissions:
- "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation"

Unda Jukumu Maalum kwa Kutumia gcloud CLI: Tumia amri ifuatayo kuunda jukumu maalum katika mradi wako wa Google Cloud:

gcloud iam roles create kms_decryptor_via_delegation --project [YOUR_PROJECT_ID] --file custom_role.yaml

Badilisha [YOUR_PROJECT_ID] na kitambulisho chako cha mradi wa Google Cloud.

Patia Jukumu Maalum Akaunti ya Huduma: Teua jukumu lako maalum kwa akaunti ya huduma ambayo itakuwa ikitumia ruhusa hii. Tumia amri ifuatayo:

# Give this permission to the service account to impersonate
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[SERVICE_ACCOUNT_B_EMAIL]" \
--role "projects/[PROJECT_ID]/roles/[CUSTOM_ROLE_ID]"

# Give this permission over the project to be able to impersonate any SA
gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
--member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
--role="projects/[YOUR_PROJECT_ID]/roles/kms_decryptor_via_delegation"

Replace [YOUR_PROJECT_ID] and [SERVICE_ACCOUNT_EMAIL] with your project ID and the email of the service account, respectively.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - IAM Privesc NextGCP - Orgpolicy Privesc

Last updated 1 month ago