diff --git a/.gitbook/assets/image (132).png b/.gitbook/assets/image (132).png new file mode 100644 index 0000000000..d3660513ef Binary files /dev/null and b/.gitbook/assets/image (132).png differ diff --git a/.gitbook/assets/image (133).png b/.gitbook/assets/image (133).png new file mode 100644 index 0000000000..49a761f891 Binary files /dev/null and b/.gitbook/assets/image (133).png differ diff --git a/SUMMARY.md b/SUMMARY.md index cebea40ef1..6c360f3260 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -72,12 +72,13 @@ * [GCP - Non-svc Persistance](pentesting-cloud/gcp-security/gcp-non-svc-persistance.md) * [GCP - Permissions for a Pentest](pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md) * [GCP - Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/README.md) - * [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) - * [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md) + * [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) + * [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) * [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) - * [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) + * [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md) * [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md) - * [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) + * [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) + * [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) * [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) * [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md) * [GCP - AppEngine Privesc](pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md) @@ -106,8 +107,9 @@ * [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md) * [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md) * [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md) - * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md) + * [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md) * [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md) + * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md) * [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md) * [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md) * [GCP - App Engine Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-app-engine-enum.md) @@ -139,6 +141,7 @@ * [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/README.md) * [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md) * [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) + * [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) * [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md) * [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md) * [Workspace Pentesting](pentesting-cloud/workspace-security.md) diff --git a/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-sourcerepos-privesc.md b/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-sourcerepos-privesc.md index 7b26d6b780..dac1fcd80b 100644 --- a/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-sourcerepos-privesc.md +++ b/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-sourcerepos-privesc.md @@ -1,4 +1,4 @@ -# GCP - Source Repos Privesc +# GCP - Sourcerepos Privesc
@@ -16,12 +16,42 @@ Other ways to support HackTricks: ## Source Repositories +For more information about Source Repositories check: + +{% content-ref url="../../gcp-security/gcp-services/gcp-source-repositories-enum.md" %} +[gcp-source-repositories-enum.md](../../gcp-security/gcp-services/gcp-source-repositories-enum.md) +{% endcontent-ref %} + ### `source.repos.get` (todo)Download code and search for sensitive information.\ (todo)Write code and compromise other code executions envs. -### (TODO) Permissions to add SSH keys +### Add SSH keys + +It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`** + +Once your ssh key is set, you can access a repo with: + +{% code overflow="wrap" %} +```bash +git clone ssh://username@domain.com@source.developers.google.com:2022/p//r/ +``` +{% endcode %} + +And then use **`git`** commands are per usual. + +### Manual Credentials + +It's possible to create manual credentials to access the Source Repositories: + + + +This will send you to a page with a **bash script to execute** and configure a git cookie in `$HOME/.gitcookies` + + + +Just having this you can use git clone, push... and it will work.
diff --git a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-run-enum.md b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-run-enum.md index 115f2d6dcc..0a80761be6 100644 --- a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-run-enum.md +++ b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-run-enum.md @@ -16,20 +16,33 @@ Other ways to support HackTricks: ## Cloud Run -Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response. +Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure. -By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\ -Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**. +You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.** -By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**. +Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications. -By **default**, the **service account** used is the **Compute Engine default one** and it has the **scope `cloud-platform`.** +### Services and jobs -It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or a**dd cloud secrets to environment variables.** +On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud. -It's also possible to **add connections with Cloud SQL**. +* **Cloud Run services.** Used to run code that responds to web requests, or events. +* **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done. -The **URLs** of the services deployed are similar to `https://-.a.run.app` +## Cloud Run Service + +Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response. + +### Relevant details + +* By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\ + Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**. +* By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**. +* By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.** +* It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.** +* It's also possible to **add connections with Cloud SQL** and **mount a file system.** +* The **URLs** of the services deployed are similar to **`https://-.a.run.app`** +* A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions. ### Enumeration @@ -40,7 +53,7 @@ gcloud run services list --platform=managed gcloud run services list --platform=gke # Get info of a service -gcloud run services describe --region +gcloud run services describe --region # Get info of all the services together gcloud run services list --format=yaml @@ -65,71 +78,47 @@ curl curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" ``` -### Privilege Escalation - -In the following page, you can check how to **abuse cloud run permissions to escalate privileges**: - -{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md" %} -[gcp-run-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md) -{% endcontent-ref %} +## Cloud Run Jobs -### Enumerate Open Cloud Run +Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done. -With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations. +### Enumeration ```bash -#!/bin/bash - -############################ -# Run this tool to find Cloud Run services that permit unauthenticated -# invocations anywhere in your GCP organization. -# Enjoy! -############################ - -for proj in $(gcloud projects list --format="get(projectId)"); do - echo "[*] scraping project $proj" +gcloud beta run jobs list +gcloud beta run jobs describe --region +gcloud beta run jobs get-iam-policy --region +``` - enabled=$(gcloud services list --project "$proj" | grep "Cloud Run API") +## Privilege Escalation - if [ -z "$enabled" ]; then - continue - fi +In the following page, you can check how to **abuse cloud run permissions to escalate privileges**: +{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md" %} +[gcp-run-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-run-privesc.md) +{% endcontent-ref %} - for run in $(gcloud run services list --platform managed --quiet --project $proj --format="get(name)"); do - ACL="$(gcloud run services get-iam-policy $run --platform managed --project $proj)" +## Unauthenticated Access - all_users="$(echo $ACL | grep allUsers)" - all_auth="$(echo $ACL | grep allAuthenticatedUsers)" +{% content-ref url="../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md" %} +[gcp-cloud-run-unauthenticated-enum.md](../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) +{% endcontent-ref %} - if [ -z "$all_users" ] - then - : - else - echo "[!] Open to all users: $proj: $run" - fi +## Post Exploitation - if [ -z "$all_auth" ] - then - : - else - echo "[!] Open to all authenticated users: $proj: $run" - fi - done -done -``` +{% content-ref url="../../gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md" %} +[gcp-cloud-run-post-exploitation.md](../../gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) +{% endcontent-ref %} -## Cloud Run Jobs +## Persistence -Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done. +{% content-ref url="../../gcp-security/gcp-persistence/gcp-cloud-run-persistence.md" %} +[gcp-cloud-run-persistence.md](../../gcp-security/gcp-persistence/gcp-cloud-run-persistence.md) +{% endcontent-ref %} -### Enumeration +## References -```bash -gcloud beta run jobs list -gcloud beta run jobs describe --region -gcloud beta run jobs get-iam-policy --region -``` +* [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md new file mode 100644 index 0000000000..66dec753dc --- /dev/null +++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md @@ -0,0 +1,52 @@ +# GCP - Cloud Run Persistence + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** ๐Ÿฆ [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) +* +* +* github repos. + +
+ +## Cloud Run + +For more information about Cloud Run check: + +{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md" %} +[gcp-cloud-run-enum.md](../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md) +{% endcontent-ref %} + +### Backdoored Revision + +Create a new backdoored revision of a Run Service and split some traffic to it. + +### Publicly Accessible Service + +Make a Service publicly accessible + +### Backdoored Service or Job + +Create a backdoored Service or Job + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** ๐Ÿฆ [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md new file mode 100644 index 0000000000..f8164bebe7 --- /dev/null +++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md @@ -0,0 +1,45 @@ +# GCP - Cloud Run Post Exploitation + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** ๐Ÿฆ [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## Cloud Run + +For more information about Cloud Run check: + +{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md" %} +[gcp-cloud-run-enum.md](../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md) +{% endcontent-ref %} + +### Access the images + +If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables. + +### Modify the image + +Modify the run image to steal information. For example, if it's exposing a login page, steal the credentials users are sending. + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** ๐Ÿฆ [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md index 0a97ff9249..f5fb8d6206 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md @@ -14,17 +14,19 @@ Other ways to support HackTricks:
-## run +## Cloud Run + +For more information about Cloud Run check: + +{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md" %} +[gcp-cloud-run-enum.md](../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md) +{% endcontent-ref %} ### `run.services.create` , `iam.serviceAccounts.actAs` Similar to the _cloudfunctions.functions.create_ method, this method creates a **new Cloud Run Service** that, when invoked, **returns the Service Accountโ€™s** access token by accessing the metadata API of the server it is running on. A Cloud Run service will be deployed and a request can be performed to it to get the token. -The following **permissions are required** for this method: - -* _run.services.create_ -* _iam.serviceaccounts.actAs_ -* _run.services.setIamPolicy_ **OR** _run.routes.invoke_ +You might also need the permissions **`run.services.setIamPolicy`** or **`run.routes.invoke`** if you cannot create it publicly accesible to be invoked by anyone accessing the URL (this could be prevented by Organization Policies). ![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image8-1000x503.png) @@ -50,7 +52,7 @@ gcloud run deploy hacked \ ### `run.services.setIamPolicy` -Give yourself previous permissions. +Give yourself previous permissions over cloud Run. ### `run.jobs.create`,`run.jobs.run`,(`run.jobs.get`) @@ -72,7 +74,7 @@ gcloud beta run jobs update hacked \ ### `run.jobs.setIamPolicy` -Give yourself the previous permissions. +Give yourself the previous permissions over Cloud Jobs. ## References diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md index af5c5cc098..02a1bdfdf7 100644 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md +++ b/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md @@ -14,6 +14,24 @@ Other ways to support HackTricks:
+## Basic Information + +Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code. + +Key features of Cloud Source Repositories include: + +1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows. +2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment. +3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles. +4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices. +5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews. +6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories. + +### OffSec information + +* The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background. +* + ## Cloud Git repositories To see the code in GCP, you need to **write** into branch **master** by **default.**\ @@ -46,11 +64,7 @@ git add, commit, push... {% endcode %} {% hint style="warning" %} -`gcloud source repos update` can actually indicate a service account to be attached to the source repository, but I don't know how it could be uased? -{% endhint %} - -{% hint style="warning" %} -It's somehow possible to add ssh keys that have access to the repos, but there is no gcloud option for that. +It's somehow possible to add ssh keys that have access to the repos from the web console, but there is no gcloud option for that. {% endhint %} ### Privilege Escalation diff --git a/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md index 31afbe9896..72f297d474 100644 --- a/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md +++ b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md @@ -24,10 +24,12 @@ More information about Cloud Functions can be found in: ### Brute Force URls -Knowing project names, **Brute Force the URL format**: +**Brute Force the URL format**: * `https://-.cloudfunctions.net/` +It's easier if you know project names. + Check this page for some tools to perform this brute force: {% content-ref url="./" %} diff --git a/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md new file mode 100644 index 0000000000..4af8e6a844 --- /dev/null +++ b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md @@ -0,0 +1,85 @@ +# GCP - Cloud Run Unauthenticated Enum + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** ๐Ÿฆ [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## Cloud Run + +For more information about Cloud Run check: + +{% content-ref url="../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md" %} +[gcp-cloud-run-enum.md](../../gcp-pentesting/gcp-services/gcp-cloud-run-enum.md) +{% endcontent-ref %} + +### Enumerate Open Cloud Run + +With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations. + +```bash +#!/bin/bash + +############################ +# Run this tool to find Cloud Run services that permit unauthenticated +# invocations anywhere in your GCP organization. +# Enjoy! +############################ + +for proj in $(gcloud projects list --format="get(projectId)"); do + echo "[*] scraping project $proj" + + enabled=$(gcloud services list --project "$proj" | grep "Cloud Run API") + + if [ -z "$enabled" ]; then + continue + fi + + + for run in $(gcloud run services list --platform managed --quiet --project $proj --format="get(name)"); do + ACL="$(gcloud run services get-iam-policy $run --platform managed --project $proj)" + + all_users="$(echo $ACL | grep allUsers)" + all_auth="$(echo $ACL | grep allAuthenticatedUsers)" + + if [ -z "$all_users" ] + then + : + else + echo "[!] Open to all users: $proj: $run" + fi + + if [ -z "$all_auth" ] + then + : + else + echo "[!] Open to all authenticated users: $proj: $run" + fi + done +done +``` + + + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** ๐Ÿฆ [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +