gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-17 23:25:37 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:02:02 +00:00
parent 7770a50092
commit 2753c75e8b
244 changed files with 8471 additions and 11302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
src/pentesting-cloud/gcp-security/README.md
View File

@@ -2,60 +2,60 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
**Before start pentesting** a **GCP** environment, there are a few **basics things you need to know** about how it works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
**Voordat jy begin pentesting** 'n **GCP** omgewing, is daar 'n paar **basiese dinge wat jy moet weet** oor hoe dit werk om jou te help verstaan wat jy moet doen, hoe om miskonfigurasies te vind en hoe om dit te benut.
Concepts such as **organization** hierarchy, **permissions** and other basic concepts are explained in:
Konsepte soos **organisasie** hiërargie, **toestemmings** en ander basiese konsepte word verduidelik in:
{{#ref}}
gcp-basic-information/
{{#endref}}
## Labs to learn
## Laboratoriums om te leer
- [https://gcpgoat.joshuajebaraj.com/](https://gcpgoat.joshuajebaraj.com/)
- [https://github.com/ine-labs/GCPGoat](https://github.com/ine-labs/GCPGoat)
- [https://github.com/lacioffi/GCP-pentest-lab/](https://github.com/lacioffi/GCP-pentest-lab/)
- [https://github.com/carlospolop/gcp_privesc_scripts](https://github.com/carlospolop/gcp_privesc_scripts)
## GCP Pentester/Red Team Methodology
## GCP Pentester/Red Team Metodologie
In order to audit a GCP environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal GCP services an **external services** connected.
Om 'n GCP omgewing te oudit, is dit baie belangrik om te weet: watter **dienste gebruik word**, wat is **blootgestel**, wie het **toegang** tot wat, en hoe is interne GCP dienste en **eksterne dienste** gekoppel.
From a Red Team point of view, the **first step to compromise a GCP environment** is to manage to obtain some **credentials**. Here you have some ideas on how to do that:
Vanuit 'n Red Team perspektief, is die **eerste stap om 'n GCP omgewing te kompromitteer** om daarin te slaag om 'n paar **akkrediteer** te verkry. Hier is 'n paar idees oor hoe om dit te doen:
- **Leaks** in github (or similar) - OSINT
- **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/))
- **Password** reuse (password leaks)
- Vulnerabilities in GCP-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
- **Local File Read**
- `/home/USERNAME/.config/gcloud/*`
- `C:\Users\USERNAME\.config\gcloud\*`
- 3rd parties **breached**
- **Internal** Employee
- **Leaks** in github (of soortgelyk) - OSINT
- **Sosiale** Ingenieurswese (Kyk die bladsy [**Workspace Security**](../workspace-security/))
- **Wagwoord** hergebruik (wagwoord leaks)
- Kw vulnerabilities in GCP-gehoste toepassings
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) met toegang tot metadata eindpunt
- **Plaaslike Lêer Lees**
- `/home/USERNAME/.config/gcloud/*`
- `C:\Users\USERNAME\.config\gcloud\*`
- 3de partye **gekompromitteer**
- **Interne** Werknemer
Or by **compromising an unauthenticated service** exposed:
Of deur **'n nie-geauthentiseerde diens** bloot te stel:
{{#ref}}
gcp-unauthenticated-enum-and-access/
{{#endref}}
Or if you are doing a **review** you could just **ask for credentials** with these roles:
Of as jy 'n **hersiening** doen, kan jy net **vraag om akkrediteer** met hierdie rolle:
{{#ref}}
gcp-permissions-for-a-pentest.md
{{#endref}}
> [!NOTE]
> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
> Nadat jy daarin geslaag het om akkrediteer te verkry, moet jy weet **aan wie behoort daardie akkrediteer**, en **waartoe hulle toegang het**, so jy moet 'n paar basiese enumerasie uitvoer:
## Basic Enumeration
## Basiese Enumerasie
### **SSRF**
For more information about how to **enumerate GCP metadata** check the following hacktricks page:
Vir meer inligting oor hoe om **GCP metadata te enumerate**, kyk die volgende hacktricks bladsy:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440
@@ -63,8 +63,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
### Whoami
In GCP you can try several options to try to guess who you are:
In GCP kan jy verskeie opsies probeer om te probeer raai wie jy is:
```bash
#If you are inside a compromise machine
gcloud auth list
@@ -74,60 +73,55 @@ gcloud auth print-identity-token #Get info from the token
#If you compromised a metadata token or somehow found an OAuth token
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=<token>" https://www.googleapis.com/oauth2/v1/tokeninfo
```
You can also use the API endpoint `/userinfo` to get more info about the user:
U kan ook die API-eindpunt `/userinfo` gebruik om meer inligting oor die gebruiker te verkry:
```bash
curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth $(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/userinfo
curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth <access_token>" https://www.googleapis.com/oauth2/v1/userinfo
```
### Org Enumeration
### Organisasie Enumerasie
```bash
# Get organizations
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud resource-manager folders list --organization <org_number> # Get folders
gcloud projects list # Get projects
```
### Beginsels & IAM Enumerasie
### Principals & IAM Enumeration
As jy genoeg regte het, **sal die kontrole van die voorregte van elke entiteit binne die GCP-rekening** jou help om te verstaan wat jy en ander identiteite kan doen en hoe om **voorregte te verhoog**.
If you have enough permissions, **checking the privileges of each entity inside the GCP account** will help you understand what you and other identities can do and how to **escalate privileges**.
If you don't have enough permissions to enumerate IAM, you can **steal brute-force them** to figure them out.\
Check **how to do the numeration and brute-forcing** in:
As jy nie genoeg regte het om IAM te enumereer nie, kan jy **brute-force hulle steel** om dit uit te vind.\
Kyk **hoe om die numerasie en brute-forcing** te doen in:
{{#ref}}
gcp-services/gcp-iam-and-org-policies-enum.md
{{#endref}}
> [!NOTE]
> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
> In the following section you can check some ways to **enumerate some common services.**
> Nou dat jy **'n bietjie inligting oor jou akrediteer** het (en as jy 'n rooi span is, hoop ek jy **is nie opgespoor nie**). Dit is tyd om uit te vind watter dienste in die omgewing gebruik word.\
> In die volgende afdeling kan jy 'n paar maniere kyk om **'n paar algemene dienste te enumereer.**
## Services Enumeration
## Dienste Enumerasie
GCP has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets, how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
GCP het 'n verbasende hoeveelheid dienste, in die volgende bladsy sal jy **basiese inligting, enumerasie** cheatsheets vind, hoe om **opsporing te vermy**, **volharding** te verkry, en ander **post-exploitatie** truuks oor sommige van hulle:
{{#ref}}
gcp-services/
{{#endref}}
Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automatic-tools).
Let daarop dat jy **nie** al die werk **handmatig** hoef te doen nie, hieronder in hierdie pos kan jy 'n **afdeling oor** [**outomatiese gereedskap**](./#automatic-tools) vind.
Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
Boonop, in hierdie fase mag jy **meer dienste ontdek wat aan nie-geverifieerde gebruikers blootgestel is,** jy mag in staat wees om hulle te benut:
{{#ref}}
gcp-unauthenticated-enum-and-access/
{{#endref}}
## Privilege Escalation, Post Exploitation & Persistence
## Voorreg Verhoging, Post Exploitatie & Volharding
The most common way once you have obtained some cloud credentials or have compromised some service running inside a cloud is to **abuse misconfigured privileges** the compromised account may have. So, the first thing you should do is to enumerate your privileges.
Die mees algemene manier sodra jy 'n paar wolk akrediteer verkry het of 'n paar dienste wat binne 'n wolk loop gecompromitteer het, is om **misgeconfigureerde voorregte** wat die gecompromitteerde rekening mag hê, te **misbruik**. So, die eerste ding wat jy moet doen is om jou voorregte te enumereer.
Moreover, during this enumeration, remember that **permissions can be set at the highest level of "Organization"** as well.
Boonop, tydens hierdie enumerasie, onthou dat **regte op die hoogste vlak van "Organisasie"** gestel kan word.
{{#ref}}
gcp-privilege-escalation/
@@ -141,32 +135,31 @@ gcp-post-exploitation/
gcp-persistence/
{{#endref}}
### Publicly Exposed Services
### Publiek Blootgestelde Dienste
While enumerating GCP services you might have found some of them **exposing elements to the Internet** (VM/Containers ports, databases or queue services, snapshots or buckets...).\
As pentester/red teamer you should always check if you can find **sensitive information / vulnerabilities** on them as they might provide you **further access into the AWS account**.
Terwyl jy GCP dienste enumereer, mag jy sommige van hulle **elemente aan die Internet blootstel** (VM/Containers poorte, databasisse of wagdiens, snappings of emmers...).\
As pentester/red teamer moet jy altyd kyk of jy **sensitiewe inligting / kwesbaarhede** op hulle kan vind, aangesien hulle jou **verdere toegang tot die AWS-rekening** mag bied.
In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
In hierdie boek behoort jy **inligting** te vind oor hoe om **blootgestelde GCP dienste te vind en hoe om hulle te kontroleer**. Oor hoe om **kwesbaarhede in blootgestelde netwerkdienste te vind** sou ek jou aanbeveel om te **soek** vir die spesifieke **diens** in:
{{#ref}}
https://book.hacktricks.xyz/
{{#endref}}
## GCP <--> Workspace Pivoting
## GCP <--> Workspace Pivotering
**Compromising** principals in **one** platform might allow an attacker to **compromise the other one**, check it in:
**Die kompromittering** van beginsels in **een** platform mag 'n aanvaller toelaat om **die ander een te kompromitteer**, kyk dit in:
{{#ref}}
gcp-to-workspace-pivoting/
{{#endref}}
## Automatic Tools
- In the **GCloud console**, in [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) you can see resources and IAMs being used by project.
- Here you can see the assets supported by this API: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
- Check **tools** that can be [**used in several clouds here**](../pentesting-cloud-methodology.md).
- [**gcp_scanner**](https://github.com/google/gcp_scanner): This is a GCP resource scanner that can help determine what **level of access certain credentials posses** on GCP.
## Outomatiese Gereedskap
- In die **GCloud-konsol**, in [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) kan jy hulpbronne en IAM's sien wat deur die projek gebruik word.
- Hier kan jy die bates sien wat deur hierdie API ondersteun word: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
- Kyk **gereedskap** wat [**in verskeie wolke hier gebruik kan word**](../pentesting-cloud-methodology.md).
- [**gcp_scanner**](https://github.com/google/gcp_scanner): Dit is 'n GCP hulpbron skandeerder wat kan help om te bepaal watter **vlak van toegang sekere akrediteer besit** op GCP.
```bash
# Install
git clone https://github.com/google/gcp_scanner.git
@@ -177,13 +170,11 @@ pip install -r requirements.txt
# Execute with gcloud creds
python3 __main__.py -o /tmp/output/ -g "$HOME/.config/gcloud"
```
- [**gcp_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Bash-skrip om 'n GCP-omgewing te evalueer met behulp van gcloud cli en die resultate in 'n lêer te stoor.
- [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Skripte om hoë IAM-privileges te evalueer en om privileges in GCP te verhoog deur dit te misbruik (Ek kon nie die evalueer-skrip laat loop nie).
- [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Skrip om jou toestemmings te bruteforce.
- [**gcp_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Bash script to enumerate a GCP environment using gcloud cli and saving the results in a file.
- [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Scripts to enumerate high IAM privileges and to escalate privileges in GCP abusing them (I couldnt make run the enumerate script).
- [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Script to bruteforce your permissions.
## gcloud config & debug
## gcloud konfigurasie & foutopsporing
```bash
# Login so gcloud can use your credentials
gcloud auth login
@@ -198,13 +189,11 @@ gcloud auth application-default print-access-token
# Update gcloud
gcloud components update
```
### Capture gcloud, gsutil... netwerk
### Capture gcloud, gsutil... network
Remember that you can use the **parameter** **`--log-http`** with the **`gcloud`** cli to **print** the **requests** the tool is performing. If you don't want the logs to redact the token value use `gcloud config set log_http_redact_token false`
Moreover, to intercept the communication:
Onthou dat jy die **parameter** **`--log-http`** met die **`gcloud`** cli kan gebruik om die **versoeke** wat die hulpmiddel uitvoer te **druk**. As jy nie wil hê die logs moet die token waarde redigeer nie, gebruik `gcloud config set log_http_redact_token false`
Boonop, om die kommunikasie te onderskep:
```bash
gcloud config set proxy/address 127.0.0.1
gcloud config set proxy/port 8080
@@ -221,11 +210,9 @@ gcloud config unset proxy/type
gcloud config unset auth/disable_ssl_validation
gcloud config unset core/custom_ca_certs_file
```
### OAuth-token konfigureer in gcloud
### OAuth token configure in gcloud
In order to **use an exfiltrated service account OAuth token from the metadata endpoint** you can just do:
In orde om **'n uitgehaal diensrekening OAuth-token van die metadata-eindpunt te gebruik** kan jy net doen:
```bash
# Via env vars
export CLOUDSDK_AUTH_ACCESS_TOKEN=<token>
@@ -237,13 +224,8 @@ gcloud config set auth/access_token_file /some/path/to/token
gcloud projects list
gcloud config unset auth/access_token_file
```
## References
## Verwysings
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
{{#include ../../banners/hacktricks-training.md}}