GCP - Cloud Functions Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cloud Functions

Google Cloud Functions zimeundwa kuhifadhi msimbo wako, ambao unatekelezwa kama jibu kwa matukio, bila kuhitaji usimamizi wa mfumo wa uendeshaji wa mwenyeji. Zaidi ya hayo, kazi hizi zinasaidia uhifadhi wa mabadiliko ya mazingira, ambayo msimbo unaweza kutumia.

Storage

Msimbo wa Cloud Functions uhifadhiwa katika GCP Storage. Hivyo, mtu yeyote mwenye upatikanaji wa kusoma juu ya ndoo katika GCP ataweza kusoma msimbo wa Cloud Functions. Msimbo uhifadhiwa katika ndoo kama moja ya zifuatazo:

gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip
gcf-v2-sources-<number>-<region>/<function-name>function-source.zip

Kwa mfano: gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip

Mtu yeyote mwenye haki za kusoma juu ya ndoo inayohifadhi Cloud Function anaweza kusoma msimbo uliofanywa kazi.

Artifact Registry

Ikiwa kazi ya wingu imewekwa ili kontena la Docker lililotekelezwa lihifadhiwe ndani ya repo ya Artifact Registry ndani ya mradi, mtu yeyote mwenye upatikanaji wa kusoma juu ya repo ataweza kupakua picha na kuangalia msimbo wa chanzo. Kwa maelezo zaidi angalia:

GCP - Artifact Registry Enum

SA

Ikiwa haijabainishwa, kwa kawaida App Engine Default Service Account yenye haki za Mhariri juu ya mradi itakuwa imeunganishwa na Cloud Function.

Triggers, URL & Authentication

Wakati Cloud Function inaundwa, trigger inahitaji kubainishwa. Moja ya kawaida ni HTTPS, hii itaunda URL ambapo kazi inaweza kuanzishwa kupitia kivinjari cha wavuti. Triggers nyingine ni pub/sub, Storage, Filestore...

Muundo wa URL ni https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>

Wakati trigger ya HTTPS inatumika, pia inaonyeshwa ikiwa mpiga simu anahitaji kuwa na idhini ya IAM ili kuita Kazi au ikiwa kila mtu anaweza kuikalia:

Inside the Cloud Function

Msimbo unapakuliwa ndani ya folda /workspace ukiwa na majina sawa na yale ya faili katika Cloud Function na unatekelezwa na mtumiaji www-data. Diski haiunganishwi kama isiyo ya kusoma.

Enumeration

# List functions
gcloud functions list
gcloud functions describe <func_name> # Check triggers to see how is this function invoked
gcloud functions get-iam-policy <func_name>

# Get logs of previous runs. By default, limits to 10 lines
gcloud functions logs read <func_name> --limit [NUMBER]

# Call a function
curl https://<region>-<project>.cloudfunctions.net/<func_name>
gcloud functions call <func_name> --data='{"message": "Hello World!"}'

# If you know the name of projects you could try to BF cloud functions names

# Get events that could be used to trigger a cloud function
gcloud functions event-types list

# Access function with authentication
curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" \
-d '{}'