GCP - IAM, Principals & Org Unauthenticated Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Iam & GCP Principals

Kwa maelezo zaidi angalia:

GCP - IAM, Principals & Org Policies Enum

Je, jina la kikoa linatumika katika Workspace?

Angalia rekodi za DNS

Ikiwa ina rekodi ya google-site-verification ni uwezekano kwamba inatumia (au ilikuwa inatumia) Workspace:

dig txt hacktricks.xyz

[...]
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz.		300	IN	TXT	"v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"

Ikiwa kitu kama include:_spf.google.com pia kinaonekana, kinathibitisha hilo (kumbuka kwamba ikiwa hakionekani, hakikatai kwani kikoa kinaweza kuwa katika Workspace bila kutumia gmail kama mtoa huduma wa barua).

Jaribu kuanzisha Workspace na kikoa hicho

Chaguo lingine ni kujaribu kuanzisha Workspace kwa kutumia kikoa, ikiwa kinalalamika kwamba kikoa tayari kinatumika (kama katika picha), unajua tayari kinatumika!

Ili kujaribu kuanzisha kikoa cha Workspace fuata: https://workspace.google.com/business/signup/welcome

Jaribu kurejesha nenosiri la barua pepe kwa kutumia kikoa hicho

Ikiwa unajua anwani yoyote halali ya barua pepe inayotumika katika kikoa hicho (kama: admin@email.com au info@email.com) unaweza kujaribu kurejesha akaunti katika https://accounts.google.com/signin/v2/recoveryidentifier, na ikiwa jaribio halionyeshi kosa linaloashiria kwamba Google haina wazo kuhusu akaunti hiyo, basi inatumia Workspace.

Tambua barua pepe na akaunti za huduma

Inawezekana kutambua barua pepe halali za kikoa cha Workspace na barua pepe za SA kwa kujaribu kuwapa ruhusa na kuangalia ujumbe wa makosa. Kwa hili unahitaji tu kuwa na ruhusa ya kutoa ruhusa kwa mradi (ambayo inaweza kuwa inamilikiwa tu na wewe).

Kumbuka kwamba ili kuziangalia lakini hata kama zipo usizipe ruhusa unaweza kutumia aina serviceAccount wakati ni user na user wakati ni SA:

# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
# but indicating it's a service account
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
--role='roles/viewer'
## Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.

# Now try with a valid email
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:support@hacktricks.xyz' \
--role='roles/viewer'
# Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.

Njia ya haraka ya kuhesabu Akaunti za Huduma katika miradi inayojulikana ni kujaribu kufikia URL: https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email> Kwa mfano: https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com

Ikiwa jibu ni 403, inamaanisha kwamba SA ipo. Lakini ikiwa jibu ni 404 inamaanisha kwamba haipo:

// Exists
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"status": "PERMISSION_DENIED"
}
}

// Doesn't exist
{
"error": {
"code": 404,
"message": "Unknown service account",
"status": "NOT_FOUND"
}
}

Note jinsi wakati barua pepe ya mtumiaji ilikuwa halali ujumbe wa kosa ulionyesha kuwa aina yao si, hivyo tulifanikiwa kugundua kwamba barua pepe support@hacktricks.xyz inapatikana bila kutoa haki zozote.

Unaweza pia kufanya vivyo hivyo na Akaunti za Huduma ukitumia aina user: badala ya serviceAccount::

# Non existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.

# Existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousGCP - Compute Unauthenticated Enum NextGCP - Source Repositories Unauthenticated Enum

Last updated 8 days ago