gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-23 07:29:04 -08:00
Code Issues Packages Projects Releases Wiki Activity

Recreating repository history for branch master

Browse Source
This commit is contained in:
Carlos Polop
2024-12-12 19:35:48 +01:00
commit 5ef56bb6b3
1076 changed files with 67158 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md Normal file
View File

@@ -0,0 +1,137 @@
# GCP - Cloud Run Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Cloud Run <a href="#reviewing-cloud-run-configurations" id="reviewing-cloud-run-configurations"></a>
Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure.
You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.**
Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications.
### Services and jobs <a href="#services-and-jobs" id="services-and-jobs"></a>
On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud.
* **Cloud Run services.** Used to run code that responds to web requests, or events.
* **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done.
## Cloud Run Service
Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
### Relevant details
* By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\
Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**.
* By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**.
* By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.**
* It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.**
* It's also possible to **add connections with Cloud SQL** and **mount a file system.**
* The **URLs** of the services deployed are similar to **`https://<svc-name>-<random>.a.run.app`**
* A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions.
### Enumeration
```bash
# List services
gcloud run services list
gcloud run services list --platform=managed
gcloud run services list --platform=gke
# Get info of a service
gcloud run services describe --region <region> <svc-name>
# Get info of all the services together
gcloud run services list --format=yaml
gcloud run services list --platform=managed --format=json
gcloud run services list --platform=gke --format=json
# Get policy
gcloud run services get-iam-policy --region <region> <svc-name>
# Get revisions
gcloud run revisions list --region <region>
gcloud run revisions describe --region <region> <revision>
# Get domains
gcloud run domain-mappings list
gcloud run domain-mappings describe <name>
# Attempt to trigger a job unauthenticated
curl <url>
# Attempt to trigger a job with your current gcloud authorization
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <url>
```
## Cloud Run Jobs
Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.
### Enumeration
```bash
gcloud beta run jobs list
gcloud beta run jobs describe --region <region> <job-name>
gcloud beta run jobs get-iam-policy --region <region> <job-name>
```
## Privilege Escalation
In the following page, you can check how to **abuse cloud run permissions to escalate privileges**:
{% content-ref url="../gcp-privilege-escalation/gcp-run-privesc.md" %}
[gcp-run-privesc.md](../gcp-privilege-escalation/gcp-run-privesc.md)
{% endcontent-ref %}
## Unauthenticated Access
{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md" %}
[gcp-cloud-run-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
{% endcontent-ref %}
## Post Exploitation
{% content-ref url="../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md" %}
[gcp-cloud-run-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
{% endcontent-ref %}
## Persistence
{% content-ref url="../gcp-persistence/gcp-cloud-run-persistence.md" %}
[gcp-cloud-run-persistence.md](../gcp-persistence/gcp-cloud-run-persistence.md)
{% endcontent-ref %}
## References
* [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}