search

dxa4481 / gcploit

These are tools we released with our 2020 defcon/blackhat talk https://www.youtube.com/watch?v=Ml09R38jpok
https://www.youtube.com/watch?v=Ml09R38jpok
GNU General Public License v3.0
161 stars 26 forks source link

FEATURE REQUEST: Enable cloud build and dataproc APIs #6

Open danthegoodman1 opened 4 years ago

danthegoodman1 commented 4 years ago

Function deployments require the cloud build api to be enabled. If possible, part of the steps in actas should be to make sure the api is enabled. Additionally with Dataproc, if possible, should try to enable the dataproc api.

I may be able to dig in and understand the codebase to make a PR later on but wanted to suggest it regardless!

dxa4481 commented 4 years ago

Yup this is a good call out. Believe it or not cloudbuild is actually a new requirement. The projects I tested on didn't have cloud build enabled, but yesterday the error started getting thrown. I think it may also lead to a second privilege escalation that's worth taking a look at, since in the build steps of cloudbuild you have access to the cloud build google managed service account, which has elevated permissions. We covered this in our bsides talk https://youtu.be/z5hPU3g2aZ8?t=1319

danthegoodman1 commented 4 years ago

Yeah, there are also a bunch of other priv. esc. techniques that can also be used for lateral movement. Check this list of them: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

I've tested using their scripts with the tokens pulled from gcploit's sqlite3 DB and it works well. I might make some PR's soon adding some of these in!

dxa4481 commented 4 years ago

It would be nice if gcploit got support for fetching google managed service account creds. Maybe I'll add it as a wish to the README