gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-23 07:29:04 -08:00
Code Issues Packages Projects Releases Wiki Activity

Recreating repository history for branch master

Browse Source
This commit is contained in:
Carlos Polop
2024-12-12 19:35:48 +01:00
commit 5ef56bb6b3
1076 changed files with 67158 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md Normal file
View File

@@ -0,0 +1,135 @@
# GCP - Cloud Functions Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Cloud Functions <a href="#reviewing-cloud-functions" id="reviewing-cloud-functions"></a>
[Google Cloud Functions](https://cloud.google.com/functions/) are designed to host your code, which **gets executed in response to events**, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.
### Storage
The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\
The code is stored in a bucket like one of the following:
* `gcf-sources-<number>-<region>/<function-name>-<uuid>/version-<n>/function-source.zip`
* `gcf-v2-sources-<number>-<region>/<function-name>function-source.zip`
For example:\
`gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip`
{% hint style="warning" %}
Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**.
{% endhint %}
### Artifact Registry
If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check:
{% content-ref url="gcp-artifact-registry-enum.md" %}
[gcp-artifact-registry-enum.md](gcp-artifact-registry-enum.md)
{% endcontent-ref %}
### SA
If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function.
### Triggers, URL & Authentication
When a Cloud Function is created the **trigger** needs to be specified. One common one is **HTTPS**, this will **create an URL where the function** can be triggered via web browsing.\
Other triggers are pub/sub, Storage, Filestore...
The URL format is **`https://<region>-<project-gcp-name>.cloudfunctions.net/<func_name>`**
When the HTTPS tigger is used, it's also indicated if the **caller needs to have IAM authorization** to call the Function or if **everyone** can just call it:
<figure><img src="../../../.gitbook/assets/image (19).png" alt=""><figcaption></figcaption></figure>
### Inside the Cloud Function
The code is **downloaded inside** the folder **`/workspace`** with the same file names as the ones the files have in the Cloud Function and is executed with the user `www-data`.\
The disk **isn't mounted as read-only.**
### Enumeration
```bash
# List functions
gcloud functions list
gcloud functions describe <func_name> # Check triggers to see how is this function invoked
gcloud functions get-iam-policy <func_name>
# Get logs of previous runs. By default, limits to 10 lines
gcloud functions logs read <func_name> --limit [NUMBER]
# Call a function
curl https://<region>-<project>.cloudfunctions.net/<func_name>
gcloud functions call <func_name> --data='{"message": "Hello World!"}'
# If you know the name of projects you could try to BF cloud functions names
# Get events that could be used to trigger a cloud function
gcloud functions event-types list
# Access function with authentication
curl -X POST https://<region>-<project>.cloudfunctions.net/<func_name> \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" \
-d '{}'
```
### Privilege Escalation
In the following page, you can check how to **abuse cloud function permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md" %}
[gcp-cloudfunctions-privesc.md](../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md)
{% endcontent-ref %}
### Unauthenticated Access
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md" %}
[gcp-cloud-functions-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md" %}
[gcp-cloud-functions-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md)
{% endcontent-ref %}
### Persistence
{% content-ref url="../gcp-persistence/gcp-cloud-functions-persistence.md" %}
[gcp-cloud-functions-persistence.md](../gcp-persistence/gcp-cloud-functions-persistence.md)
{% endcontent-ref %}
## References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}