gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-03-12 21:22:57 -07:00
Code Issues Packages Projects Releases Wiki Activity

f

Browse Source
This commit is contained in:
Carlos Polop
2026-02-16 12:04:08 +01:00
parent 936fbc4285
commit cd9939def6
3 changed files with 28 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-dataflow-post-exploitation.md
View File

@@ -46,4 +46,10 @@ Dataflow templates exist to export BigQuery data. Use the appropriate template f
Streaming pipelines can read from Pub/Sub (or other sources) and write to GCS. Launch a job with a template that reads from the target Pub/Sub subscription and writes to your controlled bucket. Streaming pipelines can read from Pub/Sub (or other sources) and write to GCS. Launch a job with a template that reads from the target Pub/Sub subscription and writes to your controlled bucket.
## References
- [Dataflow templates](https://cloud.google.com/dataflow/docs/guides/templates/provided-templates)
- [Control access with IAM (Dataflow)](https://cloud.google.com/dataflow/docs/concepts/security-and-permissions)
- [GCP - Bigtable Post Exploitation](gcp-bigtable-post-exploitation.md)
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}

19
src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataflow-privesc.md
View File

@@ -37,7 +37,7 @@ gcloud dataflow jobs list --region=<region>
gcloud dataflow jobs list --project=<PROJECT_ID> gcloud dataflow jobs list --project=<PROJECT_ID>
# Describe a job to get template GCS path, staging location, and any UDF/template references # Describe a job to get template GCS path, staging location, and any UDF/template references
gcloud dataflow jobs describe <JOB_ID> --region=<region> --format="yaml" gcloud dataflow jobs describe <JOB_ID> --region=<region> --full --format="yaml"
# Look for: currentState, createTime, jobMetadata, type (JOB_TYPE_STREAMING or JOB_TYPE_BATCH) # Look for: currentState, createTime, jobMetadata, type (JOB_TYPE_STREAMING or JOB_TYPE_BATCH)
# Pipeline options often include: tempLocation, stagingLocation, templateLocation, or flexTemplateGcsPath # Pipeline options often include: tempLocation, stagingLocation, templateLocation, or flexTemplateGcsPath
``` ```
@@ -99,8 +99,10 @@ def _malicious_func():
coordination_file = "/tmp/pwnd.txt" coordination_file = "/tmp/pwnd.txt"
if os.path.exists(coordination_file): if os.path.exists(coordination_file):
return return
# malicous code goes here # malicous code goes here
with open(coordination_file, "w", encoding="utf-8") as f:
f.write("done")
def transform(line): def transform(line):
# Malicous code entry point - runs per line but coordination ensures once per worker # Malicous code entry point - runs per line but coordination ensures once per worker
@@ -140,10 +142,15 @@ Add the cleanup step (`drop: [malicious_step]`) so the pipeline still writes val
from datetime import datetime from datetime import datetime
coordination_file = "/tmp/pwnd.txt" coordination_file = "/tmp/pwnd.txt"
if os.path.exists(coordination_file): if os.path.exists(coordination_file):
return return True
try: try:
import urllib.request import urllib.request
# malicious code goes here # malicious code goes here
with open(coordination_file, "w", encoding="utf-8") as f:
f.write("done")
except Exception:
pass
return True
append: true append: true
- name: CleanupTransform - name: CleanupTransform
type: MapToFields type: MapToFields
@@ -169,5 +176,9 @@ For exploitation details, see:
## References ## References
- [Dataflow Rider: How Attackers can Abuse Shadow Resources in Google Cloud Dataflow](https://www.varonis.com/blog/dataflow-rider) - [Dataflow Rider: How Attackers can Abuse Shadow Resources in Google Cloud Dataflow](https://www.varonis.com/blog/dataflow-rider)
- [Control access with IAM (Dataflow)](https://cloud.google.com/dataflow/docs/concepts/security-and-permissions)
- [gcloud dataflow jobs describe](https://cloud.google.com/sdk/gcloud/reference/dataflow/jobs/describe)
- [Apache Beam YAML: User-defined functions](https://beam.apache.org/documentation/sdks/yaml-udf/)
- [Apache Beam YAML Transform Reference](https://beam.apache.org/releases/yamldoc/current/)
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}

8
src/pentesting-cloud/gcp-security/gcp-services/gcp-dataflow-enum.md
View File

@@ -12,7 +12,7 @@ A Dataflow pipeline typically includes:
**Template:** YAML or JSON definitions (and Python/Java code for flex templates) stored in GCS that define the pipeline structure and steps. **Template:** YAML or JSON definitions (and Python/Java code for flex templates) stored in GCS that define the pipeline structure and steps.
**Launcher:** A short-lived Compute Engine instance that validates the template and prepares containers before the job runs. **Launcher (Flex Templates):** A short-lived Compute Engine instance may be used for Flex Template launches to validate the template and prepare containers before the job runs.
**Workers:** Compute Engine VMs that execute the actual data processing tasks, pulling UDFs and instructions from the template. **Workers:** Compute Engine VMs that execute the actual data processing tasks, pulling UDFs and instructions from the template.
@@ -76,4 +76,10 @@ gcloud storage ls gs://<bucket>/**
../gcp-persistence/gcp-dataflow-persistence.md ../gcp-persistence/gcp-dataflow-persistence.md
{{#endref}} {{#endref}}
## References
- [Dataflow overview](https://cloud.google.com/dataflow)
- [Pipeline workflow execution in Dataflow](https://cloud.google.com/dataflow/docs/guides/pipeline-workflows)
- [Troubleshoot templates](https://cloud.google.com/dataflow/docs/guides/troubleshoot-templates)
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}