Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - KMS Privesc

Support HackTricks

KMS

Maelezo kuhusu KMS:

GCP - KMS Enum

Tafadhali kumbuka kuwa katika KMS ruhusa si tu zilizorithiwa kutoka kwa Mashirika, Makabrasha na Miradi bali pia kutoka kwa Vidole za Kufungia.

cloudkms.cryptoKeyVersions.useToDecrypt

Unaweza kutumia ruhusa hii kufanya ufumbuzi wa habari na funguo unazo ruhusa hii juu yake.

gcloud kms decrypt \
--location=[LOCATION] \
--keyring=[KEYRING_NAME] \
--key=[KEY_NAME] \
--version=[KEY_VERSION] \
--ciphertext-file=[ENCRYPTED_FILE_PATH] \
--plaintext-file=[DECRYPTED_FILE_PATH]

cloudkms.cryptoKeys.setIamPolicy

Mshambuliaji mwenye idhini hii anaweza kujipa ruhusa ya kutumia ufunguo wa kufichua habari.

gcloud kms keys add-iam-policy-binding [KEY_NAME] \
--location [LOCATION] \
--keyring [KEYRING_NAME] \
--member [MEMBER] \
--role roles/cloudkms.cryptoKeyDecrypter

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

Hapa kuna maelezo ya dhana ya jinsi uteuzi huu unavyofanya kazi:

  1. Akaunti ya Huduma A ina ufikiaji wa moja kwa moja wa kufuta kwa kutumia funguo maalum katika KMS.

  2. Akaunti ya Huduma B imeruhusiwa kibali cha useToDecryptViaDelegation. Hii inaruhusu kuomba KMS kufuta data kwa niaba ya Akaunti ya Huduma A.

Matumizi ya kibali hiki ni dhahiri katika jinsi huduma ya KMS inavyochunguza ruhusa wakati ombi la kufuta linapofanywa.

Unapofanya ombi la kufuta la kawaida kwa kutumia API ya Google Cloud KMS (kwa Python au lugha nyingine), huduma huchunguza ikiwa akaunti ya huduma inayoomba ina ruhusa zinazohitajika. Ikiwa ombi linafanywa na akaunti ya huduma na kibali cha useToDecryptViaDelegation, KMS huthibitisha ikiwa akaunti hii inaruhusiwa kuomba kufuta kwa niaba ya kitengo kinachomiliki funguo.

Kuweka Mazingira kwa Uteuzi

  1. Taja Jukumu la Desturi: Unda faili ya YAML (k.m., custom_role.yaml) ambayo inatambulisha jukumu la desturi. Faili hii inapaswa kujumuisha kibali cha cloudkms.cryptoKeyVersions.useToDecryptViaDelegation. Hapa kuna mfano wa jinsi faili hii inavyoweza kuonekana:

title: "KMS Decryption via Delegation"
description: "Allows decryption via delegation"
stage: "GA"
includedPermissions:
- "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation"

  1. Unda Jukumu la Desturi Kwa Kutumia gcloud CLI: Tumia amri ifuatayo kuunda jukumu la desturi katika mradi wako wa Google Cloud:

gcloud iam roles create kms_decryptor_via_delegation --project [YOUR_PROJECT_ID] --file custom_role.yaml

Badilisha [YOUR_PROJECT_ID] na Kitambulisho cha Mradi wako wa Google Cloud.

  1. Wapa Jukumu la Desturi kwa Akaunti ya Huduma: Weka jukumu lako la desturi kwa akaunti ya huduma itakayotumia ruhusa hii. Tumia amri ifuatayo:

# Give this permission to the service account to impersonate
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member "serviceAccount:[SERVICE_ACCOUNT_B_EMAIL]" \
--role "projects/[PROJECT_ID]/roles/[CUSTOM_ROLE_ID]"

# Give this permission over the project to be able to impersonate any SA
gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
--member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" \
--role="projects/[YOUR_PROJECT_ID]/roles/kms_decryptor_via_delegation"

Badilisha [YOUR_PROJECT_ID] na [SERVICE_ACCOUNT_EMAIL] na kitambulisho cha mradi wako na barua pepe ya akaunti ya huduma, mtawalia.

Support HackTricks
PreviousGCP - IAM PrivescNextGCP - Orgpolicy Privesc

Last updated