Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

GCP - Cloud Functions Enum

Support HackTricks

Cloud Functions

Google Cloud Functions zimetengenezwa kuhifadhi msimbo wako, ambao unatekelezwa kwa kujibu matukio, bila kuhitaji usimamizi wa mfumo wa uendeshaji wa mwenyeji. Zaidi ya hayo, hizi functions zinaunga mkono uhifadhi wa mazingira ya mabadiliko, ambayo msimbo unaweza kutumia.

Storage

Msimbo wa Cloud Functions unahifadhiwa katika GCP Storage. Kwa hivyo, yeyote mwenye haki za kusoma juu ya ndoo katika GCP ataweza kusoma msimbo wa Cloud Functions. Msimbo unahifadhiwa katika ndoo kama moja ya zifuatazo:

  • gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip

  • gcf-v2-sources-<number>-<region>/<function-name>function-source.zip

Kwa mfano: gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip

Mtumiaji yeyote mwenye haki za kusoma juu ya ndoo inayohifadhi Cloud Function anaweza kusoma msimbo unaotekelezwa.

Artifact Registry

Ikiwa cloud function imewekwa ili kontena la Docker linalotekelezwa lihifadhiwe ndani ya repo ya Artifact Registry ndani ya mradi, yeyote mwenye haki za kusoma juu ya repo ataweza kupakua picha na kuangalia msimbo wa chanzo. Kwa maelezo zaidi angalia:

GCP - Artifact Registry Enum

SA

Ikiwa haijabainishwa, kwa default App Engine Default Service Account yenye ruhusa za Editor juu ya mradi itaambatanishwa na Cloud Function.

Triggers, URL & Authentication

Wakati Cloud Function inaundwa trigger inahitaji kubainishwa. Moja ya kawaida ni HTTPS, hii itaunda URL ambapo function inaweza kuchochewa kupitia kuvinjari wavuti. Triggers nyingine ni pub/sub, Storage, Filestore...

Muundo wa URL ni https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>

Wakati trigger ya HTTPS inatumiwa, pia inaonyeshwa ikiwa mpigaji anahitaji kuwa na idhini ya IAM kupiga Function au ikiwa kila mtu anaweza tu kuipiga:

Ndani ya Cloud Function

Msimbo unapakuliwa ndani ya folda /workspace na majina ya faili sawa na yale ambayo faili yana majina katika Cloud Function na inatekelezwa na mtumiaji www-data. Diski haijapakiwa kama read-only.

Enumeration

# List functions
gcloud functions list
gcloud functions describe <func_name> # Check triggers to see how is this function invoked
gcloud functions get-iam-policy <func_name>

# Get logs of previous runs. By default, limits to 10 lines
gcloud functions logs read <func_name> --limit [NUMBER]

# Call a function
curl https://<region>-<project>.cloudfunctions.net/<func_name>
gcloud functions call <func_name> --data='{"message": "Hello World!"}'

# If you know the name of projects you could try to BF cloud functions names

# Get events that could be used to trigger a cloud function
gcloud functions event-types list

# Access function with authentication
curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" \
-d '{}'

Privilege Escalation

Katika ukurasa ufuatao, unaweza kuangalia jinsi ya kutumia vibaya ruhusa za cloud function ili kuongeza upendeleo:

GCP - Cloudfunctions Privesc

Unauthenticated Access

GCP - Cloud Functions Unauthenticated Enum

Post Exploitation

GCP - Cloud Functions Post Exploitation

Persistence

GCP - Cloud Functions Persistence

References

Support HackTricks
PreviousGCP - Cloud Build EnumNextGCP - Cloud Run Enum

Last updated