mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-07-11 22:52:03 -07:00
translate everything
This commit is contained in:
@@ -243,3 +243,7 @@ gcloud config unset auth/access_token_file
|
||||
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -228,3 +228,7 @@ As defined by terraform in [https://registry.terraform.io/providers/hashicorp/go
|
||||
- [https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -151,3 +151,7 @@ jobs:
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -142,3 +142,7 @@ roles/iam.securityReviewer
|
||||
roles/iam.organizationRoleViewer
|
||||
roles/bigquery.metadataViewer
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,2 +1,6 @@
|
||||
# GCP - Persistence
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,3 +19,7 @@ Check how to do this in:
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,3 +19,7 @@ If yoi could just modify the code of a running version or create a new one yo co
|
||||
**Every version of the web application is going to be run**, if you find that an App Engine project is running several versions, you could **create a new one** with your **backdoor** code, and then **create a new legit** one so the last one is the legit but there will be a **backdoored one also running**.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -40,3 +40,7 @@ https://book.hacktricks.xyz/pentesting-web/dependency-confusion
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,3 +19,7 @@ Grant further access over datasets, tables, rows and columns to compromised user
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -17,3 +17,7 @@ For more info about Cloud Functions check:
|
||||
- **Trigger** a Cloud Function when something happens to infect something
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,3 +23,7 @@ Make a Service publicly accessible
|
||||
Create a backdoored Service or Job
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -67,3 +67,7 @@ But you can find further information in [https://github.com/FrancescoDiSalesGith
|
||||
- [https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/](https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -35,3 +35,7 @@ For more information check the technique in:
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -17,3 +17,7 @@ For more informatoin about Compute and VPC (Networking) check:
|
||||
- Create new accessible instance with a privileged SA
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -51,3 +51,7 @@ gcloud dataflow $NAME_TEMPLATE run testing \
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,3 +19,7 @@ gcp-filestore-persistence.md
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,3 +19,7 @@ gcloud logging sinks create <sink-name> <destination> --log-filter="FILTER_CONDI
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -102,3 +102,7 @@ Some remediations for these techniques are explained in [https://www.netskope.co
|
||||
- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -20,3 +20,7 @@ An attacker could update the secret to:
|
||||
- **Modify the rotation code being executed.** This happens in a different service, probably in a Cloud Function, so the attacker will need privileged access over the Cloud Function or any other service.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -36,3 +36,7 @@ Another exploit script for this method can be found [here](https://github.com/Rh
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,2 +1,6 @@
|
||||
# GCP - Post Exploitation
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -41,3 +41,7 @@ The source code of all the versions and services are **stored in the bucket** wi
|
||||
Modify source code to steal credentials if they are being sent or perform a defacement web attack.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -19,3 +19,7 @@ The Post Exploitation and Privesc techniques of Artifact Registry were mixed in:
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -27,3 +27,7 @@ curl -X POST \
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -126,3 +126,7 @@ def injection():
|
||||
except Exception as e:
|
||||
return str(e)
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -21,3 +21,7 @@ If the images are stored in repos inside the service Artifact Registry and the u
|
||||
Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -100,3 +100,7 @@ cd ngrok;./ngrok tcp 3128
|
||||
The instructions were copied from [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -101,3 +101,7 @@ gcloud sql databases delete <db-name> --instance <instance-id>
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -118,3 +118,7 @@ Mount the disk inside the VM:
|
||||
If you **cannot give access to a external project** to the snapshot or disk, you might need to p**erform these actions inside an instance in the same project as the snapshot/disk**.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -98,3 +98,7 @@ gcloud filestore backups create <back-name> \
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,3 +27,7 @@ If you succeeded here, try **accessing the web interface** and exploring from th
|
||||
This is the **highest level you can assign using the gcloud tool**.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -255,3 +255,7 @@ print('Verified:', verified)
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -131,3 +131,7 @@ gcloud logging sinks update SINK_NAME --no-use-partitioned-tables
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -112,3 +112,7 @@ gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -138,3 +138,7 @@ gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -20,3 +20,7 @@ gcloud secrets versions access 1 --secret="<secret_name>"
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -56,3 +56,7 @@ gcloud scc findings update `myFinding` --organization=123456 --source=5678 --sta
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -32,3 +32,7 @@ If you try to give **ACLs to a bucket with disabled ACLs** you will find this er
|
||||
To access open buckets via browser, access the URL `https://<bucket_name>.storage.googleapis.com/` or `https://<bucket_name>.storage.googleapis.com/<object_name>`
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -19,3 +19,7 @@ The post exploitation techniques are actually the same ones as the ones shared i
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -72,3 +72,7 @@ gcp-local-privilege-escalation-ssh-pivoting.md
|
||||
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -76,3 +76,7 @@ Check the following page to learn how to do this, although this action belongs t
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -110,3 +110,7 @@ Even though App Engine creates docker images inside Artifact Registry. It was te
|
||||
It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -171,3 +171,7 @@ Even though App Engine creates docker images inside Artifact Registry. It was te
|
||||
It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -56,3 +56,7 @@ EOD
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -114,3 +114,7 @@ bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-na
|
||||
> Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when `term` is `Cfba`, just modify all the records of the table to have `term = "Cfba"`. However this is prevented by bigquery.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -24,3 +24,7 @@ gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --displa
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -60,3 +60,7 @@ curl -X GET \
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -109,3 +109,7 @@ When a Cloud Function is created a new docker image is pushed to the Artifact Re
|
||||
- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -32,3 +32,7 @@ gcloud identity groups memberships modify-membership-roles --group-email <email>
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -115,3 +115,7 @@ gcloud auth activate-service-account --key-file=/tmp/lab.json
|
||||
- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -123,3 +123,7 @@ TODO: Check what is possible to compromise by uploading plugins
|
||||
TODO: Check what is possible to compromise by uploading data
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -146,3 +146,7 @@ Following this link you find some [**ideas to try to bypass access scopes**](../
|
||||
- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -98,3 +98,7 @@ It's possible to broaden the reach of SSH access to multiple Virtual Machines (V
|
||||
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -89,3 +89,7 @@ These permissions might allow you to escalate privileges in Kubernetes, but more
|
||||
For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller).
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -27,3 +27,7 @@ This is like the previous abuse but instead of directly creating a new deploymen
|
||||
- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -142,3 +142,7 @@ You can find an example on how to create and OpenID token behalf a service accou
|
||||
- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -86,3 +86,7 @@ gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
|
||||
Replace `[YOUR_PROJECT_ID]` and `[SERVICE_ACCOUNT_EMAIL]` with your project ID and the email of the service account, respectively.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -96,3 +96,7 @@ grep -Pzr '(?s)<form action.*?googleapis.com.*?name="signature" value=".*?">' \
|
||||
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,3 +23,7 @@ These permissions can be very useful to try to escalate privileges in resources
|
||||
This permission will usually let you **access or modify a Service Account in some resource** (e.g.: compute.instances.setServiceAccount). This **could lead to a privilege escalation** vector, but it will depend on each case.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -54,3 +54,7 @@ This step authorizes the public key, enabling SSH connection with the correspond
|
||||
- [https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,3 +23,7 @@ A python script for this method can be found [here](https://github.com/RhinoSecu
|
||||
- [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -35,3 +35,7 @@ Access messages using the subscription.
|
||||
Give yourself any of the preiovus permissions
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -17,3 +17,7 @@ Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission
|
||||
Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **project** level. So, you can follow the same exploitation example.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -87,3 +87,7 @@ gcloud beta run jobs execute job-name --region <region> --update-env-vars="PYTHO
|
||||
- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -36,3 +36,7 @@ gcloud secrets add-iam-policy-binding <scret-name> \
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -55,3 +55,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -85,3 +85,7 @@ gcloud source project-configs update --remove-topic=UPDATE_TOPIC
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -115,3 +115,7 @@ The mentioned attack can be performed in a lot of different ways, all of them st
|
||||
- [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -105,3 +105,7 @@ According [**to the docs**](https://cloud.google.com/workflows/docs/authenticate
|
||||
With this permission instead of `workflows.workflows.create` it's possible to update an already existing workflow and perform the same attacks.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,2 +1,6 @@
|
||||
# GCP - Services
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -20,3 +20,7 @@ gcloud ai-platform jobs describe <job>
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -42,3 +42,7 @@ gcloud services api-keys list --show-deleted
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -115,3 +115,7 @@ gcloud app ssl-certificates describe <name>
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -90,3 +90,7 @@ gcloud artifacts docker images list-vulnerabilities projects/<proj-name>/locatio
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -33,3 +33,7 @@ gcloud batch tasks describe projects/<proj-number>/locations/<location>/jobs/<jo
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -227,3 +227,7 @@ SELECT catalog_name, schema_name, NULL FROM <project-name>.INFORMATION_SCHEMA.SC
|
||||
- [https://cloud.google.com/bigquery/docs/column-level-security-intro](https://cloud.google.com/bigquery/docs/column-level-security-intro)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -30,3 +30,7 @@ gcloud bigtable app-profiles describe --instance <INSTANCE> <app-prof>
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -169,3 +169,7 @@ done
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -106,3 +106,7 @@ In the following page, you can check how to **abuse cloud function permissions t
|
||||
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -109,3 +109,7 @@ In the following page, you can check how to **abuse cloud run permissions to esc
|
||||
- [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -44,3 +44,7 @@ gcloud scheduler jobs describe --location us-central1 <scheduler-name>
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -26,3 +26,7 @@ Note that Cloud Shell can be **easily disabled** for the organization.
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -87,3 +87,7 @@ gcloud sql backups describe <backup-name> --instance <intance-name>
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -41,3 +41,7 @@ In the following page you can check how to **abuse composer permissions to escal
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -229,3 +229,7 @@ Check the Compute Instances privilege escalation section.
|
||||
- [https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching)
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -101,3 +101,7 @@ A Google-managed encryption key is used by default a but a Customer-managed encr
|
||||
<figure><img src="../../../../images/image (329).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+4
@@ -83,3 +83,7 @@ These are the needed permissions:
|
||||
- [https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation](https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation)
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -102,3 +102,7 @@ curl -v -k http://10.124.200.1:10255/pods
|
||||
Even if the API **doesn't allow to modify resources**, it could be possible to find **sensitive information** in the response. The endpoint /pods was found using [**Kiterunner**](https://github.com/assetnote/kiterunner).
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,3 +23,7 @@ gcloud dns policies list
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -72,3 +72,7 @@ There aren't ways to escalate privileges in GCP directly abusing this service, b
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -75,3 +75,7 @@ You may be able to access some interesting information
|
||||
- [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -15,3 +15,7 @@ gcloud firestore export gs://my-source-project-export/export-20190113_2109 --col
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -224,3 +224,7 @@ In the following page you can check how to **abuse org policies permissions to e
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -80,3 +80,7 @@ gcloud kms decrypt --ciphertext-file=[INFILE] \
|
||||
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -144,3 +144,7 @@ There aren't logs of **`testIamPermissions`**:
|
||||
- [https://betterstack.com/community/guides/logging/gcp-logging/](https://betterstack.com/community/guides/logging/gcp-logging/)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,3 +19,7 @@ gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-inst
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -55,3 +55,7 @@ gcloud alpha monitoring channels describe <channel>
|
||||
- [https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli](https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -92,3 +92,7 @@ gcloud pubsub lite-operations describe <topic>
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -51,3 +51,7 @@ In the following page you can check how to **abuse secretmanager permissions to
|
||||
An attacker could update the secret to **stop rotations** (so it won't be modified), or **make rotations much less often** (so the secret won't be modified) or to **publish the rotation message to a different pub/sub**, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -90,3 +90,7 @@ gcp-secrets-manager-enum.md
|
||||
- **Access Context Manager**: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user