GCP - IAM, Principals & Org Unauthenticated Enum

Jifunze na zoea AWS Hacking:Mafunzo ya HackTricks AWS Red Team Expert (ARTE) Jifunze na zoea GCP Hacking: Mafunzo ya HackTricks GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Iam & GCP Principals

Kwa maelezo zaidi angalia:

GCP - IAM, Principals & Org Policies Enum

Je, kikoa kinatumika katika Workspace?

Angalia rekodi za DNS

Ikiwa ina rekodi ya google-site-verification ni uwezekano mkubwa kuwa inatumia (au ilikuwa inatumia) Workspace:

dig txt hacktricks.xyz

[...]
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=2mWyPXMPXEEy6QqWbCfWkxFTcQhyYdwHrOxee1Yeo-0"
hacktricks.xyz.		3600	IN	TXT	"google-site-verification=C19PtLcZ1EGyzUYYJTX1Tp6bOGessxzN9gqE-SVKhRA"
hacktricks.xyz.		300	IN	TXT	"v=spf1 include:usb._netblocks.mimecast.com include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.salesforce.com include:spf.mandrillapp.com ~all"

Jaribu kuweka Workspace na kikoa hicho

Chaguo lingine ni kujaribu kuweka Workspace ukitumia kikoa hicho, ikiwa inadai kwamba kikoa tayari kinatumika (kama ilivyo kwenye picha), unajua tayari kinatumika!

Ili kujaribu kuweka kikoa cha Workspace fuata: https://workspace.google.com/business/signup/welcome

Jaribu kurejesha nenosiri la barua pepe ikitumia kikoa hicho

Ikiwa unajua anwani ya barua pepe halali inayotumiwa kwenye kikoa hicho (kama: admin@email.com au info@email.com) unaweza kujaribu kurejesha akaunti kwenye https://accounts.google.com/signin/v2/recoveryidentifier, na ikiwa jaribio halionyeshi kosa linaloonyesha kwamba Google haina wazo kuhusu akaunti hiyo, basi inatumia Workspace.

Peraisha barua pepe na akaunti za huduma

Inawezekana kuperaisha barua pepe halali za kikoa cha Workspace na barua pepe za SA kwa kujaribu kuwapa ruhusa na kuangalia ujumbe wa makosa. Kwa hili unahitaji tu kuwa na ruhusa ya kutoa ruhusa kwa mradi (ambao unaweza kuwa tu wewe mwenyewe).

Tambua kwamba unaweza kuzikagua lakini hata kama zipo usiwape ruhusa unaweza kutumia aina serviceAccount wakati ni user na user wakati ni SA:

# Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
# but indicating it's a service account
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:unvalid-email-34r434f@hacktricks.xyz' \
--role='roles/viewer'
## Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User unvalid-email-34r434f@hacktricks.xyz does not exist.

# Now try with a valid email
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:support@hacktricks.xyz' \
--role='roles/viewer'
# Response:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.

Tazama jinsi ambavyo wakati anwani ya barua pepe ya mtumiaji ilikuwa halali ujumbe wa kosa ulionyesha kuwa aina haipo, kwa hivyo tulifanikiwa kugundua kuwa anwani ya barua pepe support@hacktricks.xyz ipo bila kumpa haki yoyote.

Unaweza kufanya hivyo hivyo na Akaunti za Huduma kwa kutumia aina user: badala ya serviceAccount::

# Non existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: User <invalid-sa-name>@<proj-uniq-name>.iam.gserviceaccount.com does not exist.

# Existent
gcloud projects add-iam-policy-binding <project-controlled-by-you> \
--member='serviceAccount:<sa-name>@<proj-uniq-name>.iam.gserviceaccount.com' \
--role='roles/viewer'
# Response
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.

Jifunze na zoea AWS Hacking:Mafunzo ya HackTricks AWS Timu Nyekundu Mtaalam (ARTE) Jifunze na zoea GCP Hacking: Mafunzo ya HackTricks GCP Timu Nyekundu Mtaalam (GRTE)

Aunga mkono HackTricks

Angalia mpango wa michango!
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousGCP - Compute Unauthenticated Enum NextGCP - Source Repositories Unauthenticated Enum

Last updated 1 month ago