GCP - Public Buckets Privilege Escalation
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Ikiwa sera ya bucket iliruhusu “allUsers” au “allAuthenticatedUsers” kuandika kwenye sera yao ya bucket (idhini ya storage.buckets.setIamPolicy), basi mtu yeyote anaweza kubadilisha sera ya bucket na kujipatia ufikiaji kamili.
Kuna njia 2 za kuangalia ruhusa juu ya bucket. Ya kwanza ni kuziomba kwa kufanya ombi kwa https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam
au kukimbia gsutil iam get gs://BUCKET_NAME
.
Hata hivyo, ikiwa mtumiaji wako (ambaye huenda ni wa allUsers au allAuthenticatedUsers) hana ruhusa ya kusoma sera ya iam ya bucket (storage.buckets.getIamPolicy), hiyo haitafanya kazi.
Chaguo lingine ambalo litafanya kazi kila wakati ni kutumia mwisho wa testPermissions wa bucket ili kubaini ikiwa una ruhusa iliyotajwa, kwa mfano kufikia: https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update
Ili kutoa Storage Admin
kwa allAuthenticatedUsers
inawezekana kukimbia:
Another attack would be to ondoa bakuli na kuunda upya katika akaunti yako ili kuiba umiliki.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)