mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-23 17:58:55 -08:00
translate
This commit is contained in:
Carlos Polop
@@ -247,4 +247,3 @@ gcloud config unset auth/access_token_file
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -232,4 +232,3 @@ As defined by terraform in [https://registry.terraform.io/providers/hashicorp/go
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -155,4 +155,3 @@ jobs:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -146,4 +146,3 @@ roles/bigquery.metadataViewer
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -4,4 +4,3 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ Check how to do this in:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ If yoi could just modify the code of a running version or create a new one yo co
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -44,4 +44,3 @@ https://book.hacktricks.xyz/pentesting-web/dependency-confusion
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ Grant further access over datasets, tables, rows and columns to compromised user
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -21,4 +21,3 @@ For more info about Cloud Functions check:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,4 +27,3 @@ Create a backdoored Service or Job
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -71,4 +71,3 @@ But you can find further information in [https://github.com/FrancescoDiSalesGith
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -39,4 +39,3 @@ For more information check the technique in:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -21,4 +21,3 @@ For more informatoin about Compute and VPC (Networking) check:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -55,4 +55,3 @@ gcloud dataflow $NAME_TEMPLATE run testing \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ gcp-filestore-persistence.md
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ gcloud logging sinks create <sink-name> <destination> --log-filter="FILTER_CONDI
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -106,4 +106,3 @@ Some remediations for these techniques are explained in [https://www.netskope.co
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -24,4 +24,3 @@ An attacker could update the secret to:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -40,4 +40,3 @@ Another exploit script for this method can be found [here](https://github.com/Rh
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -4,4 +4,3 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -45,4 +45,3 @@ Modify source code to steal credentials if they are being sent or perform a defa
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ The Post Exploitation and Privesc techniques of Artifact Registry were mixed in:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -31,4 +31,3 @@ curl -X POST \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -55,7 +55,6 @@ def hello_http(request, last=False, error=""):
|
||||
return "Hello World!"
|
||||
|
||||
|
||||
|
||||
# Attacker code to inject
|
||||
# Code based on the one from https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py
|
||||
|
||||
@@ -130,4 +129,3 @@ def injection():
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -25,4 +25,3 @@ Modify the run image to steal information and redeploy the new version (just upl
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -104,4 +104,3 @@ The instructions were copied from [https://github.com/FrancescoDiSalesGithub/Goo
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -105,4 +105,3 @@ gcloud sql databases delete <db-name> --instance <instance-id>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -122,4 +122,3 @@ If you **cannot give access to a external project** to the snapshot or disk, you
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -102,4 +102,3 @@ gcloud filestore backups create <back-name> \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -31,4 +31,3 @@ This is the **highest level you can assign using the gcloud tool**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -259,4 +259,3 @@ print('Verified:', verified)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -135,4 +135,3 @@ gcloud logging sinks update SINK_NAME --no-use-partitioned-tables
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -116,4 +116,3 @@ gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -142,4 +142,3 @@ gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -24,4 +24,3 @@ gcloud secrets versions access 1 --secret="<secret_name>"
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -60,4 +60,3 @@ gcloud scc findings update `myFinding` --organization=123456 --source=5678 --sta
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -36,4 +36,3 @@ To access open buckets via browser, access the URL `https://<bucket_name>.storag
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ The post exploitation techniques are actually the same ones as the ones shared i
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -76,4 +76,3 @@ gcp-local-privilege-escalation-ssh-pivoting.md
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -80,4 +80,3 @@ Check the following page to learn how to do this, although this action belongs t
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -114,4 +114,3 @@ It might be possible that performing a **Race Condition attack like with the buc
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -175,4 +175,3 @@ It might be possible that performing a **Race Condition attack like with the buc
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -60,4 +60,3 @@ EOD
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -118,4 +118,3 @@ bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `<proj>.<dataset-na
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -28,4 +28,3 @@ gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --displa
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -64,4 +64,3 @@ curl -X GET \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -113,4 +113,3 @@ When a Cloud Function is created a new docker image is pushed to the Artifact Re
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -36,4 +36,3 @@ gcloud identity groups memberships modify-membership-roles --group-email <email>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -119,4 +119,3 @@ gcloud auth activate-service-account --key-file=/tmp/lab.json
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -127,4 +127,3 @@ TODO: Check what is possible to compromise by uploading data
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -150,4 +150,3 @@ Following this link you find some [**ideas to try to bypass access scopes**](../
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -102,4 +102,3 @@ It's possible to broaden the reach of SSH access to multiple Virtual Machines (V
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -93,4 +93,3 @@ For more information [**follow this link**](../../kubernetes-security/abusing-ro
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -31,4 +31,3 @@ This is like the previous abuse but instead of directly creating a new deploymen
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -146,4 +146,3 @@ You can find an example on how to create and OpenID token behalf a service accou
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -90,4 +90,3 @@ Replace `[YOUR_PROJECT_ID]` and `[SERVICE_ACCOUNT_EMAIL]` with your project ID a
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -100,4 +100,3 @@ grep -Pzr '(?s)<form action.*?googleapis.com.*?name="signature" value=".*?">' \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,4 +27,3 @@ This permission will usually let you **access or modify a Service Account in som
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -58,4 +58,3 @@ This step authorizes the public key, enabling SSH connection with the correspond
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,4 +27,3 @@ A python script for this method can be found [here](https://github.com/RhinoSecu
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -39,4 +39,3 @@ Give yourself any of the preiovus permissions
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -21,4 +21,3 @@ Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -91,4 +91,3 @@ gcloud beta run jobs execute job-name --region <region> --update-env-vars="PYTHO
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -40,4 +40,3 @@ gcloud secrets add-iam-policy-binding <scret-name> \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -59,4 +59,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -89,4 +89,3 @@ gcloud source project-configs update --remove-topic=UPDATE_TOPIC
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -119,4 +119,3 @@ The mentioned attack can be performed in a lot of different ways, all of them st
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -109,4 +109,3 @@ With this permission instead of `workflows.workflows.create` it's possible to up
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -4,4 +4,3 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -24,4 +24,3 @@ gcloud ai-platform jobs describe <job>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -46,4 +46,3 @@ gcloud services api-keys list --show-deleted
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -119,4 +119,3 @@ gcloud app ssl-certificates describe <name>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -94,4 +94,3 @@ gcloud artifacts docker images list-vulnerabilities projects/<proj-name>/locatio
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -37,4 +37,3 @@ gcloud batch tasks describe projects/<proj-number>/locations/<location>/jobs/<jo
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -231,4 +231,3 @@ SELECT catalog_name, schema_name, NULL FROM <project-name>.INFORMATION_SCHEMA.SC
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -34,4 +34,3 @@ gcloud bigtable app-profiles describe --instance <INSTANCE> <app-prof>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -173,4 +173,3 @@ done
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -110,4 +110,3 @@ In the following page, you can check how to **abuse cloud function permissions t
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -113,4 +113,3 @@ In the following page, you can check how to **abuse cloud run permissions to esc
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -48,4 +48,3 @@ gcloud scheduler jobs describe --location us-central1 <scheduler-name>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -30,4 +30,3 @@ Note that Cloud Shell can be **easily disabled** for the organization.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -91,4 +91,3 @@ gcloud sql backups describe <backup-name> --instance <intance-name>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -45,4 +45,3 @@ In the following page you can check how to **abuse composer permissions to escal
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -233,4 +233,3 @@ Check the Compute Instances privilege escalation section.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -105,4 +105,3 @@ A Google-managed encryption key is used by default a but a Customer-managed encr
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -87,4 +87,3 @@ These are the needed permissions:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -106,4 +106,3 @@ Even if the API **doesn't allow to modify resources**, it could be possible to f
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,4 +27,3 @@ gcloud dns policies list
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -76,4 +76,3 @@ There aren't ways to escalate privileges in GCP directly abusing this service, b
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -79,4 +79,3 @@ You may be able to access some interesting information
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,4 +19,3 @@ gcloud firestore export gs://my-source-project-export/export-20190113_2109 --col
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -228,4 +228,3 @@ In the following page you can check how to **abuse org policies permissions to e
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -84,4 +84,3 @@ gcloud kms decrypt --ciphertext-file=[INFILE] \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -148,4 +148,3 @@ There aren't logs of **`testIamPermissions`**:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-inst
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -59,4 +59,3 @@ gcloud alpha monitoring channels describe <channel>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -96,4 +96,3 @@ gcloud pubsub lite-operations describe <topic>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -55,4 +55,3 @@ An attacker could update the secret to **stop rotations** (so it won't be modifi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -94,4 +94,3 @@ gcp-secrets-manager-enum.md
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user