GCP - IAM, Principals & Org Policies Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Akaunti za Huduma

Kwa utangulizi kuhusu nini akaunti ya huduma angalia:

Uhesabu

Akaunti ya huduma kila wakati inahusishwa na mradi:

gcloud iam service-accounts list --project <project>

Watumiaji & Vikundi

Kwa utangulizi kuhusu jinsi Watumiaji & Vikundi vinavyofanya kazi katika GCP angalia:

Uhesabuji

Kwa ruhusa serviceusage.services.enable na serviceusage.services.use inawezekana kuwezesha huduma katika mradi na kuzitumia.

Kumbuka kwamba kwa default, watumiaji wa Workspace wanapewa jukumu la Mundaji wa Mradi, ambalo linawapa ufikiaji wa kuunda miradi mipya. Wakati mtumiaji anapounda mradi, anapewa jukumu la mwenye juu yake. Hivyo, anaweza kuwezesha huduma hizi juu ya mradi ili kuweza kuhesabu Workspace.

Hata hivyo, zingatia kwamba pia inahitajika kuwa na ruhusa za kutosha katika Workspace ili kuweza kuita APIs hizi.

Ikiwa unaweza kuwezesha huduma ya admin na ikiwa mtumiaji wako ana ruhusa za kutosha katika workspace, unaweza kuhesabu vikundi vyote & watumiaji kwa mistari ifuatayo. Hata inapoandika identity groups, pia inarudisha watumiaji bila vikundi vyovyote:

# Enable admin
gcloud services enable admin.googleapis.com
gcloud services enable cloudidentity.googleapis.com

# Using admin.googleapis.com
## List all users
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud beta identity groups preview --customer <workspace-id>

# Using cloudidentity.googleapis.com
## List groups of a user (you can list at least the groups you belong to)
gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum

## List Group Members (you can list at least the groups you belong to)
gcloud identity groups memberships list --group-email=<email>
### Make it transitive
gcloud identity groups memberships search-transitive-memberships --group-email=<email>

## Get a graph (if you have enough permissions)
gcloud identity groups memberships get-membership-graph --member-email=<email> --labels=cloudidentity.googleapis.com/groups.discussion_forum

Katika mifano ya awali, param --labels inahitajika, hivyo thamani ya jumla inatumika (haitahitajika ikiwa umetumia API moja kwa moja kama PurplePanda anavyofanya hapa.

Hata na huduma ya admin ikiwa imewezeshwa, inawezekana ukapata kosa wakati wa kuorodhesha kwa sababu mtumiaji wako wa workspace aliyeathiriwa hana ruhusa za kutosha:

IAM

Angalia hii kwa taarifa za msingi kuhusu IAM.

Ruhusa za Kawaida

Kutoka kwenye docs: Wakati rasilimali ya shirika inaundwa, watumiaji wote katika eneo lako wanapewa nafasi za Muumba wa Akaunti ya Malipo na Muumba wa Mradi kama kawaida. Nafasi hizi za kawaida zinawaruhusu watumiaji wako kuanza kutumia Google Cloud mara moja, lakini hazikusudiwi kutumika katika operesheni ya kawaida ya rasilimali yako ya shirika.

Nafasi hizi zinatoa ruhusa:

billing.accounts.create na resourcemanager.organizations.get
resourcemanager.organizations.get na resourcemanager.projects.create

Zaidi ya hayo, wakati mtumiaji anaunda mradi, yeye anapewa umiliki wa mradi huo moja kwa moja kulingana na docs. Hivyo, kwa kawaida, mtumiaji ataweza kuunda mradi na kuendesha huduma yoyote juu yake (madini? Kuorodhesha Workspace? ...)

Ruhusa ya juu zaidi katika Shirika la GCP ni nafasi ya Msimamizi wa Shirika.

set-iam-policy vs add-iam-policy-binding

Katika huduma nyingi utaweza kubadilisha ruhusa juu ya rasilimali kwa kutumia njia add-iam-policy-binding au set-iam-policy. Tofauti kuu ni kwamba add-iam-policy-binding inaongeza uhusiano mpya wa nafasi kwenye sera ya IAM iliyopo wakati set-iam-policy it afuta ruhusa zilizotolewa awali na kuweka tu zile zilizotajwa katika amri.

Kuorodhesha

# Roles
## List roles
gcloud iam roles list --project $PROJECT_ID # List only custom roles
gcloud iam roles list --filter='etag:AA=='

## Get perms and description of role
gcloud iam roles describe roles/container.admin
gcloud iam roles describe --project <proj-name> <role-name>

# Policies
gcloud organizations get-iam-policy <org_id>
gcloud resource-manager folders get-iam-policy <folder-id>
gcloud projects get-iam-policy <project-id>

# MISC
## Testable permissions in resource
gcloud iam list-testable-permissions --filter "NOT apiDisabled: true" <resource>
## Grantable roles to a resource
gcloud iam list-grantable-roles <project URL>

cloudasset IAM Enumeration

Kuna njia tofauti za kuangalia ruhusa zote za mtumiaji katika rasilimali tofauti (kama vile mashirika, folda, miradi...) kwa kutumia huduma hii.

Ruhusa cloudasset.assets.searchAllIamPolicies inaweza kuomba sera zote za iam ndani ya rasilimali.

gcloud asset search-all-iam-policies #By default uses current configured project
gcloud asset search-all-iam-policies --scope folders/1234567
gcloud asset search-all-iam-policies --scope organizations/123456
gcloud asset search-all-iam-policies --scope projects/project-id-123123

Ruhusa cloudasset.assets.analyzeIamPolicy inaweza kuomba sera zote za iam za kiongozi ndani ya rasilimali.

# Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
gcloud asset analyze-iam-policy --organization=<org-id> \
--identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --folder=<folder-id> \
--identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --project=<project-name> \
--identity='user:email@hacktricks.xyz'

Ruhusa cloudasset.assets.searchAllResources inaruhusu kuorodhesha rasilimali zote za shirika, folda, au mradi. Rasilimali zinazohusiana na IAM (kama vile majukumu) zimejumuishwa.

gcloud asset search-all-resources --scope projects/<proj-name>
gcloud asset search-all-resources --scope folders/1234567
gcloud asset search-all-resources --scope organizations/123456

Ruhusa cloudasset.assets.analyzeMove inaweza kuwa na manufaa pia kupata sera zinazohusiana na rasilimali kama mradi.

gcloud asset analyze-move --project=<proj-name> \
--destination-organization=609216679593

Nadhani ruhusa cloudasset.assets.queryIamPolicy inaweza pia kutoa ufikiaji wa kutafuta ruhusa za wakuu

# But, when running something like this
gcloud asset query --project=<proj> --statement='SELECT * FROM compute_googleapis_com_Instance'
# I get the error
ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing

testIamPermissions enumeration

Ikiwa huwezi kupata taarifa za IAM kwa kutumia mbinu zilizopita na uko katika Timu Nyekundu. Unaweza kutumia chombo https://github.com/carlospolop/bf_my_gcp_perms kujaribu nguvu ruhusa zako za sasa.

Hata hivyo, kumbuka kwamba huduma cloudresourcemanager.googleapis.com inahitaji kuwezeshwa.

Privesc

Katika ukurasa ufuatao unaweza kuangalia jinsi ya kutumia ruhusa za IAM kuboresha mamlaka:

Unauthenticated Enum

Post Exploitation

Persistence

Ikiwa una mamlaka ya juu unaweza:

Kuunda SAs mpya (au watumiaji ikiwa uko katika Workspace)
Kutoa wahusika wanaodhibitiwa na wewe ruhusa zaidi
Kutoa mamlaka zaidi kwa SAs zenye udhaifu (SSRF katika vm, Cloud Function yenye udhaifu…)
…

Org Policies

Kwa utangulizi kuhusu nini Org Policies ni angalia:

Sera za IAM zinaonyesha ruhusa wahusika walizonazo juu ya rasilimali kupitia majukumu, ambayo yanapewa ruhusa za kina. Sera za shirika zinapunguza jinsi huduma hizo zinaweza kutumika au ni vipengele gani vilivyokatwa. Hii inasaidia kuboresha kiwango cha chini cha ruhusa kwa kila rasilimali katika mazingira ya GCP.

gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
gcloud resource-manager org-policies list --folder=FOLDER_ID
gcloud resource-manager org-policies list --project=PROJECT_ID

Privesc

Katika ukurasa ufuatao unaweza kuangalia jinsi ya kudhulumu ruhusa za sera za shirika ili kupandisha hadhi:

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousGCP - Firestore Enum NextGCP - KMS Enum

Last updated 3 days ago