Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - KMS Privesc

Jifunze kuhack AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

KMS

Maelezo kuhusu KMS:

pageGCP - KMS Enum

Tafadhali kumbuka kuwa katika KMS idhini si tu zinarithiwa kutoka kwa Mashirika, Makabrasha na Miradi lakini pia kutoka kwa Vidole za Kufungia.

cloudkms.cryptoKeyVersions.useToDecrypt

Unaweza kutumia idhini hii kwa kufichua habari na ufunguo ambao una idhini hii juu yake.

gcloud kms decrypt \
--location=[LOCATION] \
--keyring=[KEYRING_NAME] \
--key=[KEY_NAME] \
--version=[KEY_VERSION] \
--ciphertext-file=[ENCRYPTED_FILE_PATH] \
--plaintext-file=[DECRYPTED_FILE_PATH]

cloudkms.cryptoKeys.setIamPolicy

Mshambuliaji mwenye ruhusa hii anaweza kujipa ruhusa ya kutumia ufunguo kufanya decryption ya taarifa.

gcloud kms keys add-iam-policy-binding [KEY_NAME] \
--location [LOCATION] \
--keyring [KEYRING_NAME] \
--member [MEMBER] \
--role roles/cloudkms.cryptoKeyDecrypter

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

Hapa kuna maelezo ya dhana ya jinsi uteuzi huu unavyofanya kazi:

  1. Akaunti ya Huduma A ina ufikiaji wa moja kwa moja wa kufuta kwa kutumia funguo maalum katika KMS.

  2. Akaunti ya Huduma B imepewa ruhusa ya useToDecryptViaDelegation. Hii inaruhusu kuomba KMS kufuta data kwa niaba ya Akaunti ya Huduma A.

Matumizi ya ruhusa hii ni ya dhahiri katika jinsi huduma ya KMS inavyochunguza ruhusa wakati ombi la kufuta linapofanywa.

Unapofanya ombi la kufuta la kawaida kwa kutumia API ya Google Cloud KMS (kwa Python au lugha nyingine), huduma huchunguza ikiwa akaunti ya huduma inayotaka ina ruhusa zinazohitajika. Ikiwa ombi linafanywa na akaunti ya huduma na ruhusa ya useToDecryptViaDelegation, KMS huthibitisha ikiwa akaunti hii inaruhusiwa kuomba kufuta kwa niaba ya kitengo kinachomiliki funguo.

Kuweka Kwa Uteuzi

  1. Tambulisha Jukumu la Desturi: Unda faili ya YAML (k.m., custom_role.yaml) ambayo inatambulisha jukumu la desturi. Faili hii inapaswa kujumuisha ruhusa ya cloudkms.cryptoKeyVersions.useToDecryptViaDelegation. Hapa kuna mfano wa jinsi faili hii inavyoweza kuonekana:

title: "KMS Decryption via Delegation"
description: "Allows decryption via delegation"
stage: "GA"
includedPermissions:
- "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation"

  1. Unda Jukumu la Kipekee Kwa Kutumia gcloud CLI: Tumia amri ifuatayo kuunda jukumu la kipekee katika mradi wako wa Google Cloud:

gcloud iam roles create kms_decryptor_via_delegation --project [YOUR_PROJECT_ID] --file custom_role.yaml

Badilisha [YOUR_PROJECT_ID] na Kitambulisho cha Mradi wako wa Google Cloud.

  1. Wapa Jukumu la Desturi kwa Akaunti ya Huduma: Weka jukumu lako la desturi kwa akaunti ya huduma itakayotumia ruhusa hii. Tumia amri ifuatayo:

# Give this permission to the service account to impersonate
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[SERVICE_ACCOUNT_B_EMAIL]" \
--role "projects/[PROJECT_ID]/roles/[CUSTOM_ROLE_ID]"

# Give this permission over the project to be able to impersonate any SA
gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
--member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
--role="projects/[YOUR_PROJECT_ID]/roles/kms_decryptor_via_delegation"

Badilisha [YOUR_PROJECT_ID] na [SERVICE_ACCOUNT_EMAIL] na kitambulisho cha mradi wako na barua pepe ya akaunti ya huduma, mtawalia.

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya HackTricks AWS)!

Njia nyingine za kusaidia HackTricks:

PreviousGCP - IAM PrivescNextGCP - Orgpolicy Privesc

Last updated