mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 00:20:59 +00:00
Update gcp-local-privilege-escalation-ssh-pivoting.md
This commit is contained in:
parent
d275caa932
commit
84ac274f97
1 changed files with 23 additions and 0 deletions
|
@ -21,6 +21,29 @@ in this scenario we are going to suppose that you **have compromised a non privi
|
|||
|
||||
Amazingly, GPC permissions of the compute engine you have compromised may help you to **escalate privileges locally inside a machine**. Even if that won't always be very helpful in a cloud environment, it's good to know it's possible.
|
||||
|
||||
# OS Patching
|
||||
Depending on the privileges associated with the service account you have access to, if it has either the `osconfig.patchDeployments.create` or `osconfig.patchJobs.exec` permissions you can create a [patch job or deployment](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching). This will enable you to move laterally in the environment and gain code execution on all the compute instances within a project.
|
||||
|
||||
First check all the roles the account has:
|
||||
|
||||
`gcloud iam roles list`
|
||||
|
||||
Now check the permissions offered by the role, if it has access to either the patch deployment or job continue.
|
||||
|
||||
`gcloud iam roles describe roles/<role name> | grep -E '(osconfig.patchDeployments.create|osconfig.patchJobs.exec)'`
|
||||
|
||||
|
||||
If you want to manually exploit this you will need to create either a [patch job](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_job.json) or [deployment](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_deployment.json) for a patch job run:
|
||||
|
||||
`gcloud compute os-config patch-jobs execute --file=patch.json`
|
||||
|
||||
|
||||
To deploy a patch deployment:
|
||||
|
||||
`gcloud compute os-config patch-deployments create my-update --file=patch.json`
|
||||
|
||||
Automated tooling such as [patchy](https://github.com/rek7/patchy) exists to detect lax permissions and automatically move laterally.
|
||||
|
||||
# Read the scripts <a href="#follow-the-scripts" id="follow-the-scripts"></a>
|
||||
|
||||
**Compute Instances** are probably there to **execute some scripts** to perform actions with their service accounts.
|
||||
|
|
Loading…
Reference in a new issue