# GCP Pentesting

{{#include ../../banners/hacktricks-training.md}}

## Basic Information

**Kabla ya kuanza pentesting** mazingira ya **GCP**, kuna mambo machache **muhimu unahitaji kujua** kuhusu jinsi inavyofanya kazi ili kukusaidia kuelewa unachohitaji kufanya, jinsi ya kupata makosa ya usanidi na jinsi ya kuyatumia.

Mifano kama **hierarchy** ya **organization**, **permissions** na dhana nyingine za msingi zinaelezwa katika:

{{#ref}}
gcp-basic-information/
{{#endref}}

## Labs to learn

- [https://gcpgoat.joshuajebaraj.com/](https://gcpgoat.joshuajebaraj.com/)
- [https://github.com/ine-labs/GCPGoat](https://github.com/ine-labs/GCPGoat)
- [https://github.com/lacioffi/GCP-pentest-lab/](https://github.com/lacioffi/GCP-pentest-lab/)
- [https://github.com/carlospolop/gcp_privesc_scripts](https://github.com/carlospolop/gcp_privesc_scripts)

## GCP Pentester/Red Team Methodology

Ili kukagua mazingira ya GCP ni muhimu sana kujua: ni **huduma zipi zinatumika**, nini kinacho **onyeshwa**, nani ana **ufikiaji** wa nini, na jinsi huduma za ndani za GCP na **huduma za nje** zinavyounganishwa.

Kutoka kwa mtazamo wa Red Team, **hatua ya kwanza ya kuathiri mazingira ya GCP** ni kufanikiwa kupata **credentials**. Hapa kuna mawazo kadhaa juu ya jinsi ya kufanya hivyo:

- **Leaks** katika github (au sawa) - OSINT
- **Social** Engineering (Angalia ukurasa [**Workspace Security**](../workspace-security/))
- **Password** reuse (password leaks)
- Uthibitisho katika Programu za GCP-Hosted
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) yenye ufikiaji wa metadata endpoint
- **Local File Read**
- `/home/USERNAME/.config/gcloud/*`
- `C:\Users\USERNAME\.config\gcloud\*`
- 3rd parties **breached**
- **Internal** Employee

Au kwa **kuathiri huduma isiyo na uthibitisho** iliyonyeshwa:

{{#ref}}
gcp-unauthenticated-enum-and-access/
{{#endref}}

Au ikiwa unafanya **review** unaweza tu **kuomba credentials** na hizi nafasi:

{{#ref}}
gcp-permissions-for-a-pentest.md
{{#endref}}

> [!NOTE]
> Baada ya kufanikiwa kupata credentials, unahitaji kujua **ni nani mwenye hizo creds**, na **nini wana ufikiaji wa**, hivyo unahitaji kufanya uainishaji wa msingi:

## Basic Enumeration

### **SSRF**

Kwa maelezo zaidi kuhusu jinsi ya **kuainisha GCP metadata** angalia ukurasa ufuatao wa hacktricks:

{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440
{{#endref}}

### Whoami

Katika GCP unaweza kujaribu chaguzi kadhaa ili kujaribu kukisia wewe ni nani:
```bash
#If you are inside a compromise machine
gcloud auth list
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo
gcloud auth print-identity-token #Get info from the token

#If you compromised a metadata token or somehow found an OAuth token
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=<token>" https://www.googleapis.com/oauth2/v1/tokeninfo
```
Unaweza pia kutumia kiunganishi cha API `/userinfo` kupata maelezo zaidi kuhusu mtumiaji:
```bash
curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth $(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/userinfo

curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth <access_token>" https://www.googleapis.com/oauth2/v1/userinfo
```
### Org Enumeration
```bash
# Get organizations
gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID
gcloud resource-manager folders list --organization <org_number> # Get folders
gcloud projects list # Get projects
```
### Principals & IAM Enumeration

Ikiwa una ruhusa za kutosha, **kuangalia haki za kila chombo ndani ya akaunti ya GCP** kutakusaidia kuelewa ni nini wewe na vitambulisho vingine vinaweza kufanya na jinsi ya **kuinua haki**.

Ikiwa huna ruhusa za kutosha kuhesabu IAM, unaweza **kuiba kwa nguvu** ili kujua.\
Angalia **jinsi ya kufanya hesabu na kuiba kwa nguvu** katika:

{{#ref}}
gcp-services/gcp-iam-and-org-policies-enum.md
{{#endref}}

> [!NOTE]
> Sasa kwamba **una taarifa fulani kuhusu vyeti vyako** (na ikiwa wewe ni timu nyekundu, matumaini huja **hujagundulika**). Ni wakati wa kubaini ni huduma zipi zinazotumika katika mazingira.\
> Katika sehemu ifuatayo unaweza kuangalia njia kadhaa za **kuhesabu huduma za kawaida.**

## Services Enumeration

GCP ina idadi kubwa ya huduma, katika ukurasa ufuatao utapata **taarifa za msingi, hesabu** cheatsheets, jinsi ya **kuepuka kugundulika**, kupata **kuendelea**, na mbinu nyingine za **baada ya unyakuzi** kuhusu baadhi yao:

{{#ref}}
gcp-services/
{{#endref}}

Kumbuka kwamba **huhitaji** kufanya kazi yote **kwa mikono**, hapa chini katika chapisho hili unaweza kupata **sehemu kuhusu** [**zana za kiotomatiki**](./#automatic-tools).

Zaidi ya hayo, katika hatua hii unaweza kugundua **huduma zaidi zilizofichuliwa kwa watumiaji wasio na uthibitisho,** unaweza kuwa na uwezo wa kuzitumia:

{{#ref}}
gcp-unauthenticated-enum-and-access/
{{#endref}}

## Privilege Escalation, Post Exploitation & Persistence

Njia ya kawaida mara tu unapopata vyeti vya wingu au umepata huduma fulani inayotembea ndani ya wingu ni **kudhulumu haki zisizo sahihi** ambazo akaunti iliyovunjwa inaweza kuwa nazo. Hivyo, jambo la kwanza unapaswa kufanya ni kuhesabu haki zako.

Zaidi ya hayo, wakati wa hesabu hii, kumbuka kwamba **ruhusa zinaweza kuwekwa katika kiwango cha juu cha "Shirika"** pia.

{{#ref}}
gcp-privilege-escalation/
{{#endref}}

{{#ref}}
gcp-post-exploitation/
{{#endref}}

{{#ref}}
gcp-persistence/
{{#endref}}

### Publicly Exposed Services

Wakati wa kuhesabu huduma za GCP unaweza kuwa umepata baadhi yao **zinazoonyesha vipengele kwenye Mtandao** (VM/Containers ports, databases au queue services, snapshots au buckets...).\
Kama pentester/timu nyekundu unapaswa kila wakati kuangalia ikiwa unaweza kupata **taarifa nyeti / udhaifu** juu yao kwani zinaweza kukupa **ufikiaji zaidi kwenye akaunti ya AWS**.

Katika kitabu hiki unapaswa kupata **taarifa** kuhusu jinsi ya kupata **huduma za GCP zilizofichuliwa na jinsi ya kuziangalia**. Kuhusu jinsi ya kupata **udhaifu katika huduma za mtandao zilizofichuliwa** ningependekeza **utafute** huduma maalum katika:

{{#ref}}
https://book.hacktricks.xyz/
{{#endref}}

## GCP <--> Workspace Pivoting

**Kuvunja** wakala katika **jukwaa moja** kunaweza kumwezesha mshambuliaji **kuvunja jukwaa lingine**, angalia katika:

{{#ref}}
gcp-to-workspace-pivoting/
{{#endref}}

## Automatic Tools

- Katika **GCloud console**, katika [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) unaweza kuona rasilimali na IAM zinazotumika na mradi.
- Hapa unaweza kuona mali zinazoungwa mkono na API hii: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
- Angalia **zana** ambazo zinaweza [**kutumika katika mawingu kadhaa hapa**](../pentesting-cloud-methodology.md).
- [**gcp_scanner**](https://github.com/google/gcp_scanner): Hii ni skana ya rasilimali ya GCP ambayo inaweza kusaidia kubaini ni **ngazi gani ya ufikiaji vyeti fulani vina** kwenye GCP.
```bash
# Install
git clone https://github.com/google/gcp_scanner.git
cd gcp_scanner
virtualenv -p python3 venv
source venv/bin/activate
pip install -r requirements.txt
# Execute with gcloud creds
python3 __main__.py -o /tmp/output/ -g "$HOME/.config/gcloud"
```
- [**gcp_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Skripti ya Bash ya kuhesabu mazingira ya GCP kwa kutumia gcloud cli na kuhifadhi matokeo katika faili.
- [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Skripti za kuhesabu haki za juu za IAM na kupandisha haki katika GCP kwa kuzitumia (sikuweza kufanya skripti ya kuhesabu ikimbie).
- [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Skripti ya kubashiri ruhusa zako.

## gcloud config & debug
```bash
# Login so gcloud can use your credentials
gcloud auth login
gcloud config set project security-devbox
gcloud auth print-access-token

# Login so SDKs can use your user credentials
gcloud auth application-default login
gcloud auth application-default set-quota-project security-devbox
gcloud auth application-default print-access-token

# Update gcloud
gcloud components update
```
### Capture gcloud, gsutil... network

Kumbuka kwamba unaweza kutumia **parameter** **`--log-http`** pamoja na **`gcloud`** cli ili **print** **requests** ambazo chombo kinazifanya. Ikiwa hutaki kwamba logi zifanye redaction ya thamani ya token tumia `gcloud config set log_http_redact_token false`

Zaidi ya hayo, ili kukamata mawasiliano:
```bash
gcloud config set proxy/address 127.0.0.1
gcloud config set proxy/port 8080
gcloud config set proxy/type http
gcloud config set auth/disable_ssl_validation True

# If you don't want to completely disable ssl_validation use:
gcloud config set core/custom_ca_certs_file cert.pem

# Back to normal
gcloud config unset proxy/address
gcloud config unset proxy/port
gcloud config unset proxy/type
gcloud config unset auth/disable_ssl_validation
gcloud config unset core/custom_ca_certs_file
```
### OAuth token configure in gcloud

Ili **kutumia tokeni ya OAuth ya akaunti ya huduma iliyovuja kutoka kwa kiungo cha metadata** unaweza tu kufanya:
```bash
# Via env vars
export CLOUDSDK_AUTH_ACCESS_TOKEN=<token>
gcloud projects list

# Via setup
echo "<token>" > /some/path/to/token
gcloud config set auth/access_token_file /some/path/to/token
gcloud projects list
gcloud config unset auth/access_token_file
```
## Marejeo

- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)

{{#include ../../banners/hacktricks-training.md}}