GCP - AppEngine Privesc

Jifunze na kufanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na kufanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.

App Engine

Kwa maelezo zaidi kuhusu App Engine angalia:

GCP - App Engine Enum

`appengine.applications.get`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.operations.list`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.create`, `appengine.versions.get`, `appengine.versions.list`, `cloudbuild.builds.get`,`iam.serviceAccounts.actAs`, `resourcemanager.projects.get`, `storage.objects.create`, `storage.objects.list`

Hizi ni ruhusa zinazohitajika ili kupeleka App kwa kutumia gcloud cli. Labda zile za get na list zinaweza kuepukwa.

Unaweza kupata mifano ya msimbo wa python katika https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/appengine

Kwa chaguo-msingi, jina la huduma ya App litakuwa default, na inaweza kuwa na mfano mmoja tu na jina sawa. Kubadilisha na kuunda App ya pili, katika app.yaml, badilisha thamani ya ufunguo wa mizizi kuwa kitu kama service: my-second-app

cd python-docs-samples/appengine/flexible/hello_world
gcloud app deploy #Upload and start application inside the folder

Subiri angalau dakika 10-15, kama haifanyi kazi piga deploy another of times na subiri dakika kadhaa.

Inawezekana kuonyesha Service Account ya kutumia lakini kwa default, App Engine default SA inatumika.

URL ya programu ni kitu kama https://<proj-name>.oa.r.appspot.com/ au https://<service_name>-dot-<proj-name>.oa.r.appspot.com

Sasisha ruhusa zinazolingana

Unaweza kuwa na ruhusa za kutosha kusasisha AppEngine lakini si za kuunda mpya. Katika hali hiyo, hivi ndivyo unaweza kusasisha App Engine ya sasa:

# Find the code of the App Engine in the buckets
gsutil ls

# Download code
mkdir /tmp/appengine2
cd /tmp/appengine2
## In this case it was found in this custom bucket but you could also use the
## buckets generated when the App Engine is created
gsutil cp gs://appengine-lab-1-gcp-labs-4t04m0i6-3a97003354979ef6/labs_appengine_1_premissions_privesc.zip .
unzip labs_appengine_1_premissions_privesc.zip

## Now modify the code..

## If you don't have an app.yaml, create one like:
cat >> app.yaml <<EOF
runtime: python312

entrypoint: gunicorn -b :\$PORT main:app

env_variables:
A_VARIABLE: "value"
EOF

# Deploy the changes
gcloud app deploy

# Update the SA if you need it (and if you have actas permissions)
gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com

Ikiwa tayari umeathiri **AppEngine** na una ruhusa **`appengine.applications.update`** na **actAs** juu ya akaunti ya huduma unayotumia unaweza kubadilisha akaunti ya huduma inayotumiwa na AppEngine na:

gcloud app update --service-account=<sa>@$PROJECT_ID.iam.gserviceaccount.com

`appengine.instances.enableDebug`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.get`, `appengine.versions.list`, `compute.projects.get`

Kwa ruhusa hizi, inawezekana kuingia kupitia ssh katika App Engine instances za aina flexible (sio standard). Baadhi ya ruhusa za list na get huenda hazihitajiki kweli.

gcloud app instances ssh --service <app-name> --version <version-id> <ID>

`appengine.applications.update`, `appengine.operations.get`

Nadhani hii inabadilisha tu SA ya usuli ambayo Google itatumia kusanidi programu, kwa hivyo sidhani kama unaweza kutumia vibaya hii kuiba akaunti ya huduma.

gcloud app update --service-account=<sa_email>

`appengine.versions.getFileContents`, `appengine.versions.update`

Sijui jinsi ya kutumia ruhusa hizi au kama ni muhimu (kumbuka kwamba unapobadilisha msimbo toleo jipya linaundwa kwa hivyo sijui kama unaweza tu kusasisha msimbo au jukumu la IAM la moja, lakini nadhani unapaswa kuwa na uwezo, labda kubadilisha msimbo ndani ya ndoo??).

Upatikanaji wa Kuandika juu ya ndoo

Hata kwa upatikanaji wa kuandika juu ya ndoo ambapo msimbo wa chanzo umewekwa HAIKUWEZEKANA kutekeleza msimbo wa kiholela kwa kurekebisha msimbo wa chanzo na manifest.json. Labda kama unafuatilia ndoo na kugundua wakati ambapo toleo jipya linaundwa na msimbo wa chanzo na manifest inapakiwa, inaweza kuwa inawezekana kuzibadilisha ili toleo jipya litumie zile zilizowekwa nyuma??

Inaonekana pia kama tabaka za kontena zimehifadhiwa kwenye ndoo, labda kuzibadilisha hizo?

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousGCP - Apikeys Privesc NextGCP - Artifact Registry Privesc

Last updated 1 month ago

App Engine

Sasisha ruhusa zinazolingana

appengine.instances.enableDebug, appengine.instances.get, appengine.instances.list, appengine.operations.get, appengine.services.get, appengine.services.list, appengine.versions.get, appengine.versions.list, compute.projects.get

appengine.applications.update, appengine.operations.get

appengine.versions.getFileContents, appengine.versions.update

Upatikanaji wa Kuandika juu ya ndoo

`appengine.instances.enableDebug`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.get`, `appengine.versions.list`, `compute.projects.get`

`appengine.applications.update`, `appengine.operations.get`

`appengine.versions.getFileContents`, `appengine.versions.update`