gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-01 07:25:51 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix links

Browse Source
This commit is contained in:
Carlos Polop
2025-01-05 11:29:50 +01:00
parent d65983432b
commit 13358c1371
33 changed files with 50 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pentesting-cloud/gcp-security/README.md
View File

@@ -26,7 +26,7 @@ In order to audit a GCP environment it's very important to know: which **service
From a Red Team point of view, the **first step to compromise a GCP environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
- **Leaks** in github (or similar) - OSINT
- **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/))
- **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/index.html))
- **Password** reuse (password leaks)
- Vulnerabilities in GCP-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
@@ -115,7 +115,7 @@ GCP has an astonishing amount of services, in the following page you will find *
gcp-services/
{{#endref}}
Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automatic-tools).
Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](#automatic-tools).
Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:

2
src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
View File

@@ -81,7 +81,7 @@ https://www.googleapis.com/auth/userinfo.email
it's interesting to see how this app supports the **`drive`** scope, which could allow a user to escalate from GCP to Workspace if an attacker manages to force the user to generate a token with this scope.
**Check how to** [**abuse this here**](../gcp-to-workspace-pivoting/#abusing-gcloud)**.**
**Check how to** [**abuse this here**](../gcp-to-workspace-pivoting/index.html#abusing-gcloud)**.**
### Service Accounts

2
src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
View File

@@ -101,7 +101,7 @@ def injection():
# Get relevant function names
handler_fname = os.environ.get("FUNCTION_TARGET") # Cloud Function env variable indicating the name of the function to habdle requests
source_path = os.environ.get("FUNCTION_SOURCE", "./main.py") # Path to the source file of the Cloud Function (./main.py by default)
source_path = os.environ.get("FUNCTION_SOURCE", "./main.py") # Path to the source file of the Cloud Function (main.py by default)
realpath = os.path.realpath(source_path) # Get full path
# Get the modules representations

2
src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
View File

@@ -133,7 +133,7 @@ The tool [patchy](https://github.com/rek7/patchy) could been used in the past fo
### Bypass Access Scopes
Following this link you find some [**ideas to try to bypass access scopes**](../).
Following this link you find some [**ideas to try to bypass access scopes**](../index.html).
### Local Privilege Escalation in GCP Compute instance

4
src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md
View File

@@ -69,7 +69,7 @@ As we are in a GCP environment, you will also be able to **get the nodepool GCP
### `container.secrets.get` | `container.secrets.list`
As [**explained in this page**, ](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#listing-secrets)with these permissions you can **read** the **tokens** of all the **SAs of kubernetes**, so you can escalate to them.
As [**explained in this page**, ](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/index.html#listing-secrets)with these permissions you can **read** the **tokens** of all the **SAs of kubernetes**, so you can escalate to them.
### `container.pods.exec`
@@ -86,7 +86,7 @@ Because of the **name** of the **permission**, it **looks like that it will allo
### `container.mutatingWebhookConfigurations.create` | `container.mutatingWebhookConfigurations.update`
These permissions might allow you to escalate privileges in Kubernetes, but more probably, you could abuse them to **persist in the cluster**.\
For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller).
For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/index.html#malicious-admission-controller).
{{#include ../../../banners/hacktricks-training.md}}

10
src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
View File

@@ -36,11 +36,11 @@ Most of the following proposed permissions are **given to the default Compute SA
Check the following permissions:
- [**compute.instances.osLogin**](gcp-compute-privesc/#compute.instances.oslogin)
- [**compute.instances.osAdminLogin**](gcp-compute-privesc/#compute.instances.osadminlogin)
- [**compute.projects.setCommonInstanceMetadata**](gcp-compute-privesc/#compute.projects.setcommoninstancemetadata)
- [**compute.instances.setMetadata**](gcp-compute-privesc/#compute.instances.setmetadata)
- [**compute.instances.setIamPolicy**](gcp-compute-privesc/#compute.instances.setiampolicy)
- [**compute.instances.osLogin**](gcp-compute-privesc/index.html#compute.instances.oslogin)
- [**compute.instances.osAdminLogin**](gcp-compute-privesc/index.html#compute.instances.osadminlogin)
- [**compute.projects.setCommonInstanceMetadata**](gcp-compute-privesc/index.html#compute.projects.setcommoninstancemetadata)
- [**compute.instances.setMetadata**](gcp-compute-privesc/index.html#compute.instances.setmetadata)
- [**compute.instances.setIamPolicy**](gcp-compute-privesc/index.html#compute.instances.setiampolicy)
## Search for Keys in the filesystem

2
src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
View File

@@ -70,7 +70,7 @@ Even with the admin service enable, it's possible that you get an error enumerat
## IAM
Check [**this for basic information about IAM**](../gcp-basic-information/#iam-roles).
Check [**this for basic information about IAM**](../gcp-basic-information/index.html#iam-roles).
### Default Permissions

2
src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
View File

@@ -11,7 +11,7 @@ Google Workspace's Domain-Wide delegation allows an identity object, either an *
Google Workspace allows the creation of two main types of global delegated object identities:
- **GWS Applications:** Applications from the Workspace Marketplace can be set up as a delegated identity. Before being made available in the marketplace, each Workspace application undergoes a review by Google to minimize potential misuse. While this does not entirely eliminate the risk of abuse, it significantly increases the difficulty for such incidents to occur.
- **GCP Service Account:** Learn more about [**GCP Service Accounts here**](../gcp-basic-information/#service-accounts).
- **GCP Service Account:** Learn more about [**GCP Service Accounts here**](../gcp-basic-information/index.html#service-accounts).
### **Domain-Wide Delegation: Under the Hood**