Skip to content

Commit

Permalink
GITBOOK-527: change request with no subject merged in GitBook
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Jan 17, 2024
1 parent 3972795 commit 21987f0
Show file tree
Hide file tree
Showing 11 changed files with 302 additions and 80 deletions.
Binary file added .gitbook/assets/image (132).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added .gitbook/assets/image (133).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 8 additions & 5 deletions SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,12 +72,13 @@
* [GCP - Non-svc Persistance](pentesting-cloud/gcp-security/gcp-non-svc-persistance.md)
* [GCP - Permissions for a Pentest](pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md)
* [GCP - Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/README.md)
* [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md)
* [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md)
* [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md)
* [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
* [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md)
* [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md)
* [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md)
* [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md)
* [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md)
* [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md)
* [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md)
* [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md)
* [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md)
* [GCP - AppEngine Privesc](pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md)
Expand Down Expand Up @@ -106,8 +107,9 @@
* [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md)
* [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md)
* [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md)
* [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
* [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md)
* [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md)
* [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
* [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md)
* [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md)
* [GCP - App Engine Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-app-engine-enum.md)
Expand Down Expand Up @@ -139,6 +141,7 @@
* [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/README.md)
* [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md)
* [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
* [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
* [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md)
* [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md)
* [Workspace Pentesting](pentesting-cloud/workspace-security.md)
Expand Down
34 changes: 32 additions & 2 deletions ...esting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-sourcerepos-privesc.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# GCP - Source Repos Privesc
# GCP - Sourcerepos Privesc

<details>

Expand All @@ -16,12 +16,42 @@ Other ways to support HackTricks:

## Source Repositories

For more information about Source Repositories check:

{% content-ref url="../../gcp-security/gcp-services/gcp-source-repositories-enum.md" %}
[gcp-source-repositories-enum.md](../../gcp-security/gcp-services/gcp-source-repositories-enum.md)
{% endcontent-ref %}

### `source.repos.get`

(todo)Download code and search for sensitive information.\
(todo)Write code and compromise other code executions envs.

### (TODO) Permissions to add SSH keys
### Add SSH keys

It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`**

Once your ssh key is set, you can access a repo with:

{% code overflow="wrap" %}
```bash
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
```
{% endcode %}

And then use **`git`** commands are per usual.

### Manual Credentials

It's possible to create manual credentials to access the Source Repositories:



This will send you to a page with a **bash script to execute** and configure a git cookie in `$HOME/.gitcookies`



Just having this you can use git clone, push... and it will work.

<details>

Expand Down
107 changes: 48 additions & 59 deletions pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-run-enum.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,33 @@ Other ways to support HackTricks:

## Cloud Run <a href="#reviewing-cloud-run-configurations" id="reviewing-cloud-run-configurations"></a>

Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure.

By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\
Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**.
You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.**

By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**.
Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications.

By **default**, the **service account** used is the **Compute Engine default one** and it has the **scope `cloud-platform`.**
### Services and jobs <a href="#services-and-jobs" id="services-and-jobs"></a>

It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or a**dd cloud secrets to environment variables.**
On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud.

It's also possible to **add connections with Cloud SQL**.
* **Cloud Run services.** Used to run code that responds to web requests, or events.
* **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done.

The **URLs** of the services deployed are similar to `https://<svc-name>-<random>.a.run.app`
## Cloud Run Service

Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.

### Relevant details

* By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\
Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**.
* By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**.
* By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.**
* It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.**
* It's also possible to **add connections with Cloud SQL** and **mount a file system.**
* The **URLs** of the services deployed are similar to **`https://<svc-name>-<random>.a.run.app`**
* A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions.

### Enumeration

Expand All @@ -40,7 +53,7 @@ gcloud run services list --platform=managed
gcloud run services list --platform=gke

# Get info of a service
gcloud run services describe --region <region> <svc-name>
gcloud run services describe --region <region> <svc-name>

# Get info of all the services together
gcloud run services list --format=yaml
Expand All @@ -65,71 +78,47 @@ curl <url>
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <url>
```

### Privilege Escalation

In the following page, you can check how to **abuse cloud run permissions to escalate privileges**:

{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md" %}
[gcp-run-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md)
{% endcontent-ref %}
## Cloud Run Jobs

### Enumerate Open Cloud Run
Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.

With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations.
### Enumeration

```bash
#!/bin/bash

############################
# Run this tool to find Cloud Run services that permit unauthenticated
# invocations anywhere in your GCP organization.
# Enjoy!
############################

for proj in $(gcloud projects list --format="get(projectId)"); do
echo "[*] scraping project $proj"
gcloud beta run jobs list
gcloud beta run jobs describe --region <region> <job-name>
gcloud beta run jobs get-iam-policy --region <region> <job-name>
```

enabled=$(gcloud services list --project "$proj" | grep "Cloud Run API")
## Privilege Escalation

if [ -z "$enabled" ]; then
continue
fi
In the following page, you can check how to **abuse cloud run permissions to escalate privileges**:

{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md" %}
[gcp-run-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md)
{% endcontent-ref %}

for run in $(gcloud run services list --platform managed --quiet --project $proj --format="get(name)"); do
ACL="$(gcloud run services get-iam-policy $run --platform managed --project $proj)"
## Unauthenticated Access

all_users="$(echo $ACL | grep allUsers)"
all_auth="$(echo $ACL | grep allAuthenticatedUsers)"
{% content-ref url="../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md" %}
[gcp-cloud-run-unauthenticated-enum.md](../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
{% endcontent-ref %}

if [ -z "$all_users" ]
then
:
else
echo "[!] Open to all users: $proj: $run"
fi
## Post Exploitation

if [ -z "$all_auth" ]
then
:
else
echo "[!] Open to all authenticated users: $proj: $run"
fi
done
done
```
{% content-ref url="../../gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md" %}
[gcp-cloud-run-post-exploitation.md](../../gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
{% endcontent-ref %}

## Cloud Run Jobs
## Persistence

Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.
{% content-ref url="../../gcp-security/gcp-persistence/gcp-cloud-run-persistence.md" %}
[gcp-cloud-run-persistence.md](../../gcp-security/gcp-persistence/gcp-cloud-run-persistence.md)
{% endcontent-ref %}

### Enumeration
## References

```bash
gcloud beta run jobs list
gcloud beta run jobs describe --region <region> <job-name>
gcloud beta run jobs get-iam-policy --region <region> <job-name>
```
* [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)

<details>

Expand Down
52 changes: 52 additions & 0 deletions pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# GCP - Cloud Run Persistence

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
*
*
* &#x20;github repos.

</details>

## Cloud Run

For more information about Cloud Run check:

{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md" %}
[gcp-cloud-run-enum.md](../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md)
{% endcontent-ref %}

### Backdoored Revision

Create a new backdoored revision of a Run Service and split some traffic to it.

### Publicly Accessible Service

Make a Service publicly accessible

### Backdoored Service or Job

Create a backdoored Service or Job

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
45 changes: 45 additions & 0 deletions ...ing-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# GCP - Cloud Run Post Exploitation

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## Cloud Run

For more information about Cloud Run check:

{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md" %}
[gcp-cloud-run-enum.md](../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md)
{% endcontent-ref %}

### Access the images

If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables.

### Modify the image

Modify the run image to steal information. For example, if it's exposing a login page, steal the credentials users are sending.

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Loading

0 comments on commit 21987f0

Please sign in to comment.