GITBOOK-533: change request with no subject merged in GitBook

SUMMARY.md

@@ -76,6 +76,7 @@
     * [GCP - Cloud Build Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md)
     * [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md)
     * [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
+    * [GCP - Cloud SQL Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
     * [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md)
     * [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md)
     * [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md)
@@ -110,6 +111,7 @@
     * [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md)
     * [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md)
     * [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md)
+    * [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md)
     * [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md)
     * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
   * [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md)
@@ -118,7 +120,7 @@
     * [GCP - Cloud Build Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md)
     * [GCP - Cloud Functions Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-functions-enum.md)
     * [GCP - Cloud Run Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-run-enum.md)
-    * [GCP - Cloud SQL](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql.md)
+    * [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md)
     * [GCP - Compute Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-compute-instances-enum/README.md)
       * [GCP - Compute Instance](pentesting-cloud/gcp-pentesting/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md)
       * [GCP - VPC & Networking](pentesting-cloud/gcp-pentesting/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md)
@@ -146,6 +148,7 @@
     * [GCP - Cloud Build Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md)
     * [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
     * [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
+    * [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md)
     * [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md)
     * [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md)
       * [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md)

pentesting-ci-cd/okta-security/README.md

@@ -64,11 +64,11 @@ getST.py -spn HTTP/clientname.kerberos.okta.com -dc-ip 1.2.3.4 LAB/comprommisedu
 
 With a ticket retrieved for the AD user, we need to inject this on a host we control using Rubeus or Mimikatz:
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 You’ll need to make sure that `clientname.kerberos.okta.com` is added to the “Intranet” security zone in Internet Options. And then, in our browser, if we hit the below URL, we should find that we receive a JSON response providing an `OK` result when the Kerberos ticket is accepted:
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 Heading over to the Okta dashboard, if everything is OK, you’ll be signed in.
 

pentesting-ci-cd/travisci-security/README.md

@@ -44,7 +44,7 @@ It looks like It's not possible to set crons inside the `.travis.yml` according
 
 TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
 
-![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
 
 ### Dumping Secrets
 

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md

@@ -106,7 +106,7 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
 Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
 {% endhint %}
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Generic KMS Ransomware
 

pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md

@@ -62,7 +62,7 @@ Note that ECR requires that users have **permission** to make calls to the **`ec
 
 It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 First, you need to give the external account access over the registry with a **registry policy** like:
 

pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md

@@ -248,7 +248,7 @@ It's possible to generate API keys in the API Gateway portal and even set how mu
 
 To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Unauthenticated Access
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md

@@ -46,7 +46,7 @@ The “upgrade” from normal refresh token to primary refresh token is not poss
 
 If there is a policy that requires MFA to sign in, we can instead use the `interactiveauth` module:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The resulting refresh token (which is cached in the `.roadtools_auth` file) can be used to request a token for the device registration service, where we can create the device:
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md

@@ -113,7 +113,7 @@ Tokens were written to .roadtools_auth
 
 There’s also other options you can use to specify other resources or the correct redirect URL for the app you are using:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Selenium based Azure AD authentication <a href="#selenium-based-azure-a-d-authentication" id="selenium-based-azure-a-d-authentication"></a>
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md

@@ -43,7 +43,7 @@ The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync
 
 It's possible to extract the configuration from one of the tables, being one encrypted:
 
-<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The **encrypted configuration** is encrypted with **DPAPI** and it contains the **passwords of the `MSOL_*`** user in on-prem AD and the password of **Sync\_\*** in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD.
 

pentesting-cloud/azure-security/az-services/vms/az-azure-network.md

@@ -213,7 +213,7 @@ az network vnet subnet list --resource-group <ResourceGroupName> --vnet-name <VN
 Microsoft recommends using Private Links in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services#compare-private-endpoints-and-service-endpoints):\
 
 
-<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Service Endpoints:**
 

pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md

@@ -70,7 +70,7 @@ Once a connection is generated, you can use it to **link repositories that the G
 
 This option is available through the button:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 {% hint style="success" %}
 Note that repositories connected with this method are **only available in Triggers using 2nd generation.**

pentesting-cloud/gcp-security/gcp-basic-information.md

@@ -168,7 +168,7 @@ When an organisation is created several groups are **strongly suggested to be cr
 * No expiration
 * If people is accessing Workspace through a third party provider, these requirements aren't applied.
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 <figure><img src="../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
 

pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md

@@ -0,0 +1,68 @@
+# GCP - Cloud SQL Persistence
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* &#x20;github repos.
+
+</details>
+
+## Cloud SQL
+
+For more information about Cloud SQL check:
+
+{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
+[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
+{% endcontent-ref %}
+
+### Expose the database and whitelist your IP address
+
+A database only accessible from an internal VPC can be exposed externally and your IP address can be whitelisted so you can access it.\
+For more information check the technique in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+### Create a new user / Update users password / Get password of a user
+
+To connect to a database you **just need access to the port** exposed by the database and a **username** and **password**. With e**nough privileges** you could **create a new user** or **update** an existing user **password**.\
+Another option would be to **brute force the password of an user** by trying several password or by accessing the **hashed** password of the user inside the database (if possible) and cracking it.\
+Remember that **it's possible to list the users of a database** using GCP API.
+
+{% hint style="info" %}
+You can create/update users using GCP API or from inside the databae if you have enough permissions.
+{% endhint %}
+
+For more information check the technique in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* &#x20;github repos.
+
+</details>