From f23a3b99debc854072a8d8838658427619f76508 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 17 Feb 2022 18:17:32 +0000 Subject: [PATCH] GitBook: [#3017] No subject --- SUMMARY.md | 2 +- .../{gcp-security => }/workspace-security.md | 27 ++++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) rename cloud-security/{gcp-security => }/workspace-security.md (82%) diff --git a/SUMMARY.md b/SUMMARY.md index c000a5589..01b472807 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -510,7 +510,7 @@ * [GCP - Buckets Enumeration](cloud-security/gcp-security/gcp-buckets-enumeration.md) * [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md) * [GCP - Persistance](cloud-security/gcp-security/gcp-persistance.md) - * [Workspace Security](cloud-security/gcp-security/workspace-security.md) +* [Workspace Security](cloud-security/workspace-security.md) * [Github Security](cloud-security/github-security/README.md) * [Basic Github Information](cloud-security/github-security/basic-github-information.md) * [Kubernetes Security](pentesting/pentesting-kubernetes/README.md) diff --git a/cloud-security/gcp-security/workspace-security.md b/cloud-security/workspace-security.md similarity index 82% rename from cloud-security/gcp-security/workspace-security.md rename to cloud-security/workspace-security.md index c25299d74..6f60e4de8 100644 --- a/cloud-security/gcp-security/workspace-security.md +++ b/cloud-security/workspace-security.md @@ -1,10 +1,26 @@ # Workspace Security -## Google Groups Privesc +## Password Spraying + +In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you can use a tool like [https://github.com/ustayready/CredKing](https://github.com/ustayready/CredKing) who will use AWS lambdas to change IP address. + +## Google Groups Abuse + +### Privesc By default in workspace a **group** can be **freely accessed** by any member of the organization.\ Workspace also allow to **grant permission to groups** (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may **abuse that path to escalate privileges**. +You potentially need access to the console to join groups that allow to be joined by anyone in the org. + +### Invite to groups + +Apparently by default you **can create groups and invite people to them**. You can then modify the email that will be sent to the user **adding some links** and the **email will come from google**, so it will looks **legit**. + +## Hangout Phishing + +You can modify an email account maybe naming it "Google Security" and adding some Google logos, and then send an invitation to talk to someone and they will think they are talking to google: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s) + ## Oauth Apps **Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP... @@ -50,11 +66,11 @@ If someone creates a **copy** of that **document** that **contained the App Scri This method will be able to bypass also the Workspace admin restriction: -![](<../../.gitbook/assets/image (662).png>) +![](<../.gitbook/assets/image (662).png>) But can be prevented with: -![](<../../.gitbook/assets/image (632).png>) +![](<../.gitbook/assets/image (632).png>) ### Shared Document Unverified Prompt Bypass @@ -73,6 +89,11 @@ This also means that if an **App Script already existed** and people has **grant ## Post-Exploitation +### Privesc to GCP + +* Abusing the **google groups privesc** you might be able to escalate to a group with some kind of privileged access to GCP +* Abusing **OAuth applications** you might be able to impersonate users and access to GCP on their behalf + ### Google Drive When **sharing** a document yo can **specify** the **people** that can access it one by one, **share** it with your **entire company** (**or** with some specific **groups**) by **generating a link**.