gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-05 19:32:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-s

Browse Source
This commit is contained in:
Translator
2025-02-21 11:05:14 +00:00
parent 67a902b5c8
commit c2f71e612a
1 changed files with 90 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistence.md Normal file
View File

@@ -0,0 +1,90 @@
# GCP - Token Persistence
{{#include ../../../banners/hacktricks-training.md}}
### Authenticated User Tokens
Ili kupata **token ya sasa** ya mtumiaji unaweza kukimbia:
```bash
sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"
```
Angalia katika ukurasa huu jinsi ya **kutumia moja kwa moja tokeni hii kwa kutumia gcloud**:
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp
{{#endref}}
Ili kupata maelezo ya **kuunda tokeni mpya ya ufikiaji** endesha:
```bash
sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"
```
Ni pia inawezekana kupata refresh tokens katika **`$HOME/.config/gcloud/application_default_credentials.json`** na katika **`$HOME/.config/gcloud/legacy_credentials/*/adc.json`**.
Ili kupata access token mpya iliyosasishwa kwa kutumia **refresh token**, client ID, na client secret endesha:
```bash
curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token
```
Uhalali wa refresh tokens unaweza kudhibitiwa katika **Admin** > **Security** > **Google Cloud session control**, na kwa default umewekwa kwa masaa 16 ingawa unaweza kuwekwa kutokufa milele:
<figure><img src="../../../images/image (11).png" alt=""><figcaption></figcaption></figure>
### Auth flow
Mchakato wa uthibitishaji unapokuwa ukitumia kitu kama `gcloud auth login` utafungua dirisha katika kivinjari na baada ya kukubali maeneo yote kivinjari kitatumia ombi kama hili kwa bandari ya http iliyofunguliwa na chombo:
```
/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1
```
Kisha, gcloud itatumia hali na msimbo pamoja na `client_id` (`32555940559.apps.googleusercontent.com`) na **`client_secret`** (`ZmssLNjJy2998hD4CTg2ejr2`) kupata **data ya mwisho ya refresh token**.
> [!CAUTION]
> Kumbuka kwamba mawasiliano na localhost yako katika HTTP, hivyo inawezekana kukamata data ili kupata refresh token, hata hivyo data hii ni halali mara 1 tu, hivyo hii itakuwa haina maana, ni rahisi tu kusoma refresh token kutoka kwenye faili.
### OAuth Scopes
Unaweza kupata scopes zote za Google katika [https://developers.google.com/identity/protocols/oauth2/scopes](https://developers.google.com/identity/protocols/oauth2/scopes) au kupata hizo kwa kutekeleza:
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u
```
Inawezekana kuona ni mipaka gani programu ambayo **`gcloud`** inatumia kuidhinisha inaweza kusaidia kwa kutumia skripti hii:
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope \r"
if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
echo ""
echo $scope
fi
done
```
Baada ya kuitekeleza, ilikaguliwa kwamba programu hii inasaidia maeneo haya:
```
https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email
```
ni ya kuvutia kuona jinsi programu hii inavyounga mkono **`drive`** scope, ambayo inaweza kumruhusu mtumiaji kupandisha kutoka GCP hadi Workspace ikiwa mshambuliaji atafanikiwa kumlazimisha mtumiaji kuunda tokeni yenye scope hii.
**Angalia jinsi ya** [**kudhulumu hii hapa**](../gcp-to-workspace-pivoting/index.html#abusing-gcloud)**.**
### Akaunti za Huduma
Kama ilivyo kwa watumiaji walioidhinishwa, ikiwa utafanikiwa **kudhulumu faili ya ufunguo wa faragha** ya akaunti ya huduma utaweza **kuipata kawaida kwa muda wote unavyotaka**.\
Hata hivyo, ikiwa utaiba **tokeni ya OAuth** ya akaunti ya huduma hii inaweza kuwa ya kuvutia zaidi, kwa sababu, hata kama kwa kawaida tokeni hizi zinatumika kwa saa moja tu, ikiwa **mhasiriwa atafuta ufunguo wa faragha wa api, tokeni ya OAuh itabaki kuwa halali hadi itakapokwisha**.
### Metadata
Kwa wazi, kadri unavyokuwa ndani ya mashine inayofanya kazi katika mazingira ya GCP utaweza **kupata akaunti ya huduma iliyoambatanishwa na mashine hiyo kwa kuwasiliana na mwisho wa metadata** (zingatia kwamba tokeni za Oauth unazoweza kupata katika mwisho huu kwa kawaida zinapunguziliwa mbali na scopes).
### Marekebisho
Marekebisho kadhaa kwa mbinu hizi yanaelezwa katika [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
### Marejeleo
- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1)
- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
{{#include ../../../banners/hacktricks-training.md}}