Ikiwa ina rekodi ya google-site-verification ni uwezekano mkubwa kuwa inatumia (au ilikuwa inatumia) Workspace:
dig txt hacktricks.xyz
[...]
hacktricks.xyz. 3600 IN TXT "google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz. 3600 IN TXT "google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz. 300 IN TXT "v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"
Ikiwa kitu kama include:_spf.google.com pia inaonekana inathibitisha hilo (kumbuka kwamba ikiwa haionekani haikatai kwani kikoa kinaweza kuwepo kwenye Workspace bila kutumia gmail kama mtoa huduma ya barua pepe).
Jaribu kuweka Workspace na kikoa hicho
Chaguo lingine ni kujaribu kuweka Workspace ukitumia kikoa hicho, ikiwa inadai kwamba kikoa tayari kinatumika (kama ilivyo kwenye picha), unajua tayari kinatumika!
Jaribu kupata nywila ya barua pepe inayotumia kikoa hicho
Ikiwa unajua anwani ya barua pepe halali inayotumiwa kwenye kikoa hicho (kama: admin@email.com au info@email.com) unaweza kujaribu kupata akaunti kwenye https://accounts.google.com/signin/v2/recoveryidentifier, na ikiwa jaribio halionyeshi kosa linaloonyesha kwamba Google haina wazo kuhusu akaunti hiyo, basi inatumia Workspace.
Peraisha barua pepe na akaunti za huduma
Inawezekana kuorodhesha barua pepe halali za kikoa cha Workspace na barua pepe za SA kwa kujaribu kuwapa ruhusa na kuangalia ujumbe wa makosa. Kwa hili unahitaji tu kuwa na ruhusa ya kutoa ruhusa kwa mradi (ambao unaweza kuwa tu wewe mwenyewe).
Kumbuka kwamba unaweza kuzikagua lakini hata kama zipo usiwape ruhusa unaweza kutumia aina serviceAccount wakati ni user na user wakati ni SA:
# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'# but indicating it's a service accountgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \--role='roles/viewer'## Response:ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.
# Now try with a valid emailgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:support@hacktricks.xyz' \--role='roles/viewer'# Response:ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.
Tambua jinsi anwani ya barua pepe ya mtumiaji ilivyokuwa halali ujumbe wa kosa ulionyesha kuwa aina haipo, kwa hivyo tulifanikiwa kugundua kuwa barua pepe ya support@hacktricks.xyz ipo bila kumpa haki yoyote.
Unaweza kufanya hivyo hivyo na Akaunti za Huduma kwa kutumia aina user: badala ya serviceAccount::
# Non existentgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \--role='roles/viewer'# ResponseERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.
# Existentgcloudprojectsadd-iam-policy-binding<project-controlled-by-you> \--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \--role='roles/viewer'# ResponseERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.