From 84ac274f973a0ee418e1ffed5fbd212ad6101c5d Mon Sep 17 00:00:00 2001 From: Raphael <25335191+rek7@users.noreply.github.com> Date: Thu, 11 Aug 2022 00:07:46 -0700 Subject: [PATCH] Update gcp-local-privilege-escalation-ssh-pivoting.md --- ...local-privilege-escalation-ssh-pivoting.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md index 05ee585b3..2104ee8ac 100644 --- a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md +++ b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md @@ -21,6 +21,29 @@ in this scenario we are going to suppose that you **have compromised a non privi Amazingly, GPC permissions of the compute engine you have compromised may help you to **escalate privileges locally inside a machine**. Even if that won't always be very helpful in a cloud environment, it's good to know it's possible. +# OS Patching +Depending on the privileges associated with the service account you have access to, if it has either the `osconfig.patchDeployments.create` or `osconfig.patchJobs.exec` permissions you can create a [patch job or deployment](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching). This will enable you to move laterally in the environment and gain code execution on all the compute instances within a project. + +First check all the roles the account has: + +`gcloud iam roles list` + +Now check the permissions offered by the role, if it has access to either the patch deployment or job continue. + +`gcloud iam roles describe roles/ | grep -E '(osconfig.patchDeployments.create|osconfig.patchJobs.exec)'` + + +If you want to manually exploit this you will need to create either a [patch job](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_job.json) or [deployment](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_deployment.json) for a patch job run: + +`gcloud compute os-config patch-jobs execute --file=patch.json` + + +To deploy a patch deployment: + +`gcloud compute os-config patch-deployments create my-update --file=patch.json` + +Automated tooling such as [patchy](https://github.com/rek7/patchy) exists to detect lax permissions and automatically move laterally. + # Read the scripts **Compute Instances** are probably there to **execute some scripts** to perform actions with their service accounts.