Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3017] No subject

Browse source
This commit is contained in:
CPol 2022-02-17 18:17:32 +00:00 committed by gitbook-bot
parent a80d89f12c
commit f23a3b99de
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 25 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -510,7 +510,7 @@
* [GCP - Buckets Enumeration](cloud-security/gcp-security/gcp-buckets-enumeration.md)
* [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
* [GCP - Persistance](cloud-security/gcp-security/gcp-persistance.md)
* [Workspace Security](cloud-security/gcp-security/workspace-security.md)
* [Workspace Security](cloud-security/workspace-security.md)
* [Github Security](cloud-security/github-security/README.md)
* [Basic Github Information](cloud-security/github-security/basic-github-information.md)
* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)

27
cloud-security/gcp-security/workspace-security.md → cloud-security/workspace-security.md
View file

@ -1,10 +1,26 @@
# Workspace Security
## Google Groups Privesc
## Password Spraying
In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you can use a tool like [https://github.com/ustayready/CredKing](https://github.com/ustayready/CredKing) who will use AWS lambdas to change IP address.
## Google Groups Abuse
### Privesc
By default in workspace a **group** can be **freely accessed** by any member of the organization.\
Workspace also allow to **grant permission to groups** (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may **abuse that path to escalate privileges**.
You potentially need access to the console to join groups that allow to be joined by anyone in the org.
### Invite to groups
Apparently by default you **can create groups and invite people to them**. You can then modify the email that will be sent to the user **adding some links** and the **email will come from google**, so it will looks **legit**.
## Hangout Phishing
You can modify an email account maybe naming it "Google Security" and adding some Google logos, and then send an invitation to talk to someone and they will think they are talking to google: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s) 
## Oauth Apps
**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
@ -50,11 +66,11 @@ If someone creates a **copy** of that **document** that **contained the App Scri
This method will be able to bypass also the Workspace admin restriction:
![](<../../.gitbook/assets/image (662).png>)
![](<../.gitbook/assets/image (662).png>)
But can be prevented with:
![](<../../.gitbook/assets/image (632).png>)
![](<../.gitbook/assets/image (632).png>)
### Shared Document Unverified Prompt Bypass
@ -73,6 +89,11 @@ This also means that if an **App Script already existed** and people has **grant
## Post-Exploitation
### Privesc to GCP
* Abusing the **google groups privesc** you might be able to escalate to a group with some kind of privileged access to GCP
* Abusing **OAuth applications** you might be able to impersonate users and access to GCP on their behalf
### Google Drive
When **sharing** a document yo can **specify** the **people** that can access it one by one, **share** it with your **entire company** (**or** with some specific **groups**) by **generating a link**.