From 397279591e3653cd3b6eb7cdcdb0a104691edd12 Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 17 Jan 2024 10:20:49 +0000 Subject: [PATCH] GITBOOK-526: change request with no subject merged in GitBook --- SUMMARY.md | 3 + .../gcp-appengine-privesc.md | 27 ++++--- .../gcp-services/gcp-app-engine-enum.md | 75 +++++++++++++------ .../gcp-app-engine-persistence.md | 45 +++++++++++ .../gcp-cloud-functions-persistence.md | 2 +- .../gcp-app-engine-post-exploitation.md | 68 +++++++++++++++++ .../gcp-storage-privesc.md | 3 +- .../gcp-app-engine-unauthenticated-enum.md | 49 ++++++++++++ 8 files changed, 237 insertions(+), 35 deletions(-) create mode 100644 pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md create mode 100644 pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md create mode 100644 pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md diff --git a/SUMMARY.md b/SUMMARY.md index df6df4221b..cebea40ef1 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -77,6 +77,7 @@ * [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) * [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) * [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md) + * [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) * [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) * [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md) * [GCP - AppEngine Privesc](pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md) @@ -103,6 +104,7 @@ * [GCP - Network Docker Escape](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md) * [GCP - local privilege escalation ssh pivoting](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) * [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md) + * [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md) * [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md) * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md) * [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md) @@ -135,6 +137,7 @@ * [GCP - Storage Enum](pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md) * [GCP to Workspace Pivoting](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting.md) * [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/README.md) + * [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md) * [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) * [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md) * [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md) diff --git a/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md b/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md index 2af4f8421e..f04ef2a8bb 100644 --- a/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md +++ b/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md @@ -14,6 +14,14 @@ Other ways to support HackTricks: +## App Engine + +For more information about App Engine check: + +{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %} +[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md) +{% endcontent-ref %} + ### `appengine.applications.get`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.operations.list`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.create`, `appengine.versions.get`, `appengine.versions.list`, `cloudbuild.builds.get`,`iam.serviceAccounts.actAs`, `resourcemanager.projects.get`, `storage.objects.create`, `storage.objects.list` Those are the needed permissions to **deploy an App using `gcloud` cli**. Maybe the **`get`** and **`list`** ones could be **avoided**. @@ -36,14 +44,6 @@ It's **possible to indicate the Service Account to use** but by default, the App The URL of the application is something like `https://.oa.r.appspot.com/` or `https://-dot-.oa.r.appspot.com` -### `logging.views.access` - -With this permission it's possible to **see the logs of the App**: - -```bash -gcloud app logs tail -s -``` - ### `appengine.instances.enableDebug`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.get`, `appengine.versions.list`, `compute.projects.get` With these permissions, it's possible to **login via ssh in App Engine instances** of type **flexible** (not standard). Some of the **`list`** and **`get`** permissions **could not be really needed**. @@ -62,13 +62,16 @@ gcloud app update --service-account= ``` {% endcode %} -### `appengine.memcache.addKey`, `appengine.memcache.getKey`, `appengine.memcache.update` +### `appengine.versions.getFileContents`, `appengine.versions.update` -These permissions looks interesting to access App memcache. +Not sure how to use these permissions or if they are useful (note that when you change the code a new version is created so I don't know if you can just update the code or the IAM role of one, but I guess you should be able to, maybe changing the code inside the bucket??). -### `appengine.versions.getFileContents`, `appengine.versions.update` +### Write Access over the buckets + +Even with write access over the buckets where the source code is located **it WASN'T possible to execute arbitrary code by modifying the source code and the `manifest.json`**.\ +Maybe if you are monitoring the bucket and detect the moment where a new version is created and the source code and manifest is uploaded, it might be possible to change them so the new version uses the backdoored ones?? -Not sure how to use these permissions or if they are useful (note that when you cange the code a new version is created so I don't know if you can just update the code or the IAM role of one, but I gues you shuold be able to, maybe changing the code inside the bucket??). +It also looks like container layers are stored in the bucket, maybe changing those?
diff --git a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-app-engine-enum.md b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-app-engine-enum.md index d3d5450f04..ca5a5c7bf7 100644 --- a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-app-engine-enum.md +++ b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-app-engine-enum.md @@ -14,20 +14,55 @@ Other ways to support HackTricks:
-## App Engine Configurations +## Basic Information -Google [App Engine](https://cloud.google.com/appengine/) is **another** [**"serverless"**](https://about.gitlab.com/topics/serverless/) offering for hosting applications, with a focus on scalability, and enables developers to **build and deploy web applications and APIs** without having to worry about managing infrastructure. +\ +Google Cloud Platform's (GCP) App Engine is a fully managed, **serverless platform** for developing and **hosting web applications at scale**. It's designed to **simplify your development process** and make it easy to manage applications, offering several key features and benefits: + +1. **Serverless Architecture**: App Engine automatically handles the infrastructure, including server provisioning, configuration, and scaling. This allows developers to focus on writing code without worrying about the underlying hardware. +2. **Automatic Scaling**: App Engine can automatically scale your application in response to the amount of traffic it receives. It scales up to handle increased traffic and scales down when traffic decreases, helping optimize cost and performance. +3. **Language and Runtime Support**: It supports popular programming languages such as Java, Python, Node.js, Go, Ruby, PHP, and .NET. You can run your applications in a standard or a flexible environment. The standard environment is more restrictive but highly optimized for specific languages, while the flexible environment allows for more customization. +4. **Integrated Services**: App Engine integrates with many other GCP services, like Cloud SQL, Cloud Storage, Cloud Datastore, and more. This integration simplifies the architecture of cloud-based applications. +5. **Versioning and Traffic Splitting**: You can easily deploy multiple versions of your application and then split traffic among them for A/B testing or gradual rollouts. +6. **Application Insights**: App Engine provides built-in services such as logging, user authentication, and a suite of developer tools for monitoring and managing applications. +7. **Security**: It offers built-in security features like application versioning, SSL/TLS certificates for secure connections, and identity and access management. + +### Firewall A simple **firewall** can be configured for the instances running the Apps with the following options:
-The default service account used by these Apps is **`@appspot.gserviceaccount.com`** and the SAs inside APP Engine instance **runs with cloud-platform scope (among others).** +### SA + +The default service account used by these Apps is **`@appspot.gserviceaccount.com`** which have **Editor** role over the project and the SAs inside APP Engine instance **runs with cloud-platform scope (among others).** + +### Storage + +The source code and metadata is **automatically stored in buckets** with names such as `.appspot.com` and `staging..appspot.com` and `..appspot.com` + +**Every file** of the App is stored with the **sha1 of the content as filename**: + +
+ +Inside the **`ae`** folder from `staging..appspot.com`, **one folder per version exist** with the **source code** files and **`manifest.json`** file that **describes the components** of the App: + +{% code overflow="wrap" %} +```json +{"requirements.txt":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/a270eedcbe2672c841251022b7105d340129d108","sha1Sum":"a270eedc_be2672c8_41251022_b7105d34_0129d108"},"main_test.py":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/0ca32fd70c953af94d02d8a36679153881943f32","sha1Sum":"0ca32fd7_0c953af9_4d02d8a ... +``` +{% endcode %} + +### URLs & Regions + +The **default** web page will be exposed in the URL **`.appspot.com`** although the URL of older versions will be slightly different, like **`https://20240117t001540-dot-.uc.r.appspot.com`** (note the initial timestamp). + +It might look like it's only possible to deploy 1 app engine web application per region, but it's possible to indicate **`service: `** in the **`app.yml`** and create a new service (a new web). The format of the URL for this new web will be **`-dot-.appspot.com`**. ### Enumeration {% hint style="danger" %} -Everytime you uploads a new code to the App, **a new version is created**. **All versions are stored** and they even have an **URL to access them**. So modifying the code of an old version could be a **great persistence tecnique**. +Every time you uploads a new code to the App, **a new version is created**. **All versions are stored** and they even have an **URL to access them**. So modifying the code of an old version could be a **great persistence technique**. {% endhint %} As with Cloud Functions, **there is a chance that the application will rely on secrets that are accessed at run-time via environment variables**. These variables are stored in an **`app.yaml`** file which can be accessed as follows: @@ -67,30 +102,28 @@ gcloud app ssl-certificates list gcloud app ssl-certificates describe ``` -### Storage - -The source code is **automatically stored in buckets** with names such as `.appspot.com` or `staging..appspot.com` +### Privilege Escalation -**Every file** of the App is stored with the **sha1 of the content as filename**: +{% content-ref url="../gcp-privilege-escalation/gcp-appengine-privesc.md" %} +[gcp-appengine-privesc.md](../gcp-privilege-escalation/gcp-appengine-privesc.md) +{% endcontent-ref %} -
+### Unauthenticated Enum -Inside the **`ae`** folder, **one folder per version exist** with a **`manifest.json`** file that **describes the components** of the App: +{% content-ref url="../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md" %} +[gcp-app-engine-unauthenticated-enum.md](../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md) +{% endcontent-ref %} -{% code overflow="wrap" %} -```json -{"requirements.txt":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/a270eedcbe2672c841251022b7105d340129d108","sha1Sum":"a270eedc_be2672c8_41251022_b7105d34_0129d108"},"main_test.py":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/0ca32fd70c953af94d02d8a36679153881943f32","sha1Sum":"0ca32fd7_0c953af9_4d02d8a ... -``` -{% endcode %} +### Post Exploitation -{% hint style="warning" %} -A principal capable of **writting this bucket** will be able to **overwrite** the code and make the app **execute arbitrary code**. (TODO: test this) -{% endhint %} +{% content-ref url="../../gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md" %} +[gcp-app-engine-post-exploitation.md](../../gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) +{% endcontent-ref %} -### Privesc +### Persistence -{% content-ref url="../gcp-privilege-escalation/gcp-appengine-privesc.md" %} -[gcp-appengine-privesc.md](../gcp-privilege-escalation/gcp-appengine-privesc.md) +{% content-ref url="../../gcp-security/gcp-persistence/gcp-app-engine-persistence.md" %} +[gcp-app-engine-persistence.md](../../gcp-security/gcp-persistence/gcp-app-engine-persistence.md) {% endcontent-ref %}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md new file mode 100644 index 0000000000..9b9bbb7d21 --- /dev/null +++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md @@ -0,0 +1,45 @@ +# GCP - App Engine Persistence + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## App Engine + +For more information about App Engine check: + +{% content-ref url="../../gcp-pentesting/gcp-services/gcp-app-engine-enum.md" %} +[gcp-app-engine-enum.md](../../gcp-pentesting/gcp-services/gcp-app-engine-enum.md) +{% endcontent-ref %} + +### Modify code + +If yoi could just modify the code of a running version or create a new one yo could make it run your backdoor and mantain persistence. + +### Old version persistence + +**Every version of the web application is going to be run**, if you find that an App Engine project is running several versions, you could **create a new one** with your **backdoor** code, and then **create a new legit** one so the last one is the legit but there will be a **backdoored one also running**. + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md index 768e1b68a2..d6189b7c5f 100644 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md +++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md @@ -24,7 +24,7 @@ For more info about Cloud Functions check: ### Persistence Techniques -* **Modify the code** of the Cloud Function +* **Modify the code** of the Cloud Function, even just the `requirements.txt` * **Allow anyone** to call a vulnerable Cloud Function or a backdoor one * **Trigger** a Cloud Function when something happens to infect something diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md new file mode 100644 index 0000000000..75974f2949 --- /dev/null +++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md @@ -0,0 +1,68 @@ +# GCP - App Engine Post Exploitation + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## `App Engine` + +For information about App Engine check: + +{% content-ref url="../../gcp-pentesting/gcp-services/gcp-app-engine-enum.md" %} +[gcp-app-engine-enum.md](../../gcp-pentesting/gcp-services/gcp-app-engine-enum.md) +{% endcontent-ref %} + +### `appengine.memcache.addKey` | `appengine.memcache.list` | `appengine.memcache.getKey` | `appengine.memcache.flush` + +With these permissions it's possible to: + +* Add a key +* List keys +* Get a key +* Delete + +{% hint style="danger" %} +However, I **couldn't find any way to access this information from the cli**, only from the **web console** where you need to know the **Key type** and the **Key name**, of from the a**pp engine running app**. + +If you know easier ways to use these permissions send a Pull Request! +{% endhint %} + +### `logging.views.access` + +With this permission it's possible to **see the logs of the App**: + +```bash +gcloud app logs tail -s +``` + +### Read Source Code + +The source code of all the versions and services are **stored in the bucket** with the name **`staging..appspot.com`**. If you have write access over it you can read the source code and search for **vulnerabilities** and **sensitive information**. + +### Modify Source Code + +Modify source code to steal credentials if they are being sent or perform a defacement web attack. + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md index 656a79aaab..c826788ca7 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md @@ -80,7 +80,8 @@ A very **common exploitation** of buckets where you can write in cloud is in cas ### App Engine -* App Engine source code is stored in buckets, **overwriting the code it could be possible to execute arbitrary code.** +* App Engine source code is stored in buckets, **overwriting the code it could be possible to execute arbitrary code. THIS IS NOT POSSIBLE** +* **It looks like container layers are stored in the bucket, maybe changing those?** ### GCR diff --git a/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md new file mode 100644 index 0000000000..a9330c6c14 --- /dev/null +++ b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md @@ -0,0 +1,49 @@ +# GCP - App Engine Unauthenticated Enum + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## App Engine + +For more information about App Engine check: + +{% content-ref url="../../gcp-pentesting/gcp-services/gcp-app-engine-enum.md" %} +[gcp-app-engine-enum.md](../../gcp-pentesting/gcp-services/gcp-app-engine-enum.md) +{% endcontent-ref %} + +### Brute Force Subdomains + +As mentioned the URL assigned to App Engine web pages is **`.appspot.com`** and if a service name is used it'll be: **`-dot-.appspot.com`**. + +As the **`project-uniq-name`** can be set by the person creating the project, they might be not that random and **brute-forcing them could find App Engine web apps exposed by companies**. + +You could use tools like the ones indicated in: + +{% content-ref url="./" %} +[.](./) +{% endcontent-ref %} + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +