Chinese - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - IAM, Principals & Org Unauthenticated Enum

支持 HackTricks

Iam & GCP Principals

有关更多信息,请查看:

GCP - IAM, Principals & Org Policies Enum

是否在 Workspace 中使用域?

  1. 检查 DNS 记录

如果有 google-site-verification 记录,那么它很可能正在(或曾经)使用 Workspace:

dig txt hacktricks.xyz

[...]
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz.		300	IN	TXT	"v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"

如果出现类似 include:_spf.google.com 的内容,这确认了这一点(请注意,如果没有出现,这并不否定,因为一个域可以在 Workspace 中而不使用 gmail 作为邮件提供商)。

  1. 尝试使用该域设置 Workspace

另一个选项是尝试使用该域设置 Workspace,如果它 抱怨该域已被使用(如图所示),你就知道它已经被使用了!

要尝试设置 Workspace 域,请访问: https://workspace.google.com/business/signup/welcome

  1. 尝试使用该域恢复电子邮件的密码

如果你知道该域中使用的任何有效电子邮件地址(如:admin@email.com 或 info@email.com),你可以尝试在 https://accounts.google.com/signin/v2/recoveryidentifier恢复账户,如果尝试没有显示错误,表明 Google 对该账户没有任何信息,那么它正在使用 Workspace。

枚举电子邮件和服务账户

可以通过尝试为 Workspace 域和 SA 电子邮件分配权限并检查错误消息来 枚举有效电子邮件。为此,你只需要有权限为一个项目分配权限(该项目可以仅由你拥有)。

请注意,检查它们时,即使它们存在也不要授予它们权限,你可以在是 user 时使用类型 serviceAccount,在是 SA 时使用 user

# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
# but indicating it's a service account
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
--role='roles/viewer'
## Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.

# Now try with a valid email
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:support@hacktricks.xyz' \
--role='roles/viewer'
# Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.

在已知项目中枚举服务账户的更快方法是尝试访问以下 URL: https://iam.googleapis.com/v1/projects/<project-id>/serviceAccounts/<sa-email> 例如: https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com

如果响应是 403,则意味着服务账户存在。但如果答案是 404,则意味着它不存在:

// Exists
{
"error": {
"code": 403,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"status": "PERMISSION_DENIED"
}
}

// Doesn't exist
{
"error": {
"code": 404,
"message": "Unknown service account",
"status": "NOT_FOUND"
}
}

注意,当用户电子邮件有效时,错误消息表明他们的类型无效,因此我们成功发现了电子邮件 support@hacktricks.xyz 存在,而没有授予其任何权限。

您可以使用类型 user: 而不是 serviceAccount:相同的方式处理服务帐户

# Non existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.

# Existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.
支持 HackTricks
PreviousGCP - Compute Unauthenticated EnumNextGCP - Source Repositories Unauthenticated Enum

Last updated