mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 06:30:37 +00:00
GitBook: [#3017] No subject
This commit is contained in:
parent
a80d89f12c
commit
f23a3b99de
2 changed files with 25 additions and 4 deletions
|
@ -510,7 +510,7 @@
|
||||||
* [GCP - Buckets Enumeration](cloud-security/gcp-security/gcp-buckets-enumeration.md)
|
* [GCP - Buckets Enumeration](cloud-security/gcp-security/gcp-buckets-enumeration.md)
|
||||||
* [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
|
* [GCP - Local Privilege Escalation / SSH Pivoting](cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md)
|
||||||
* [GCP - Persistance](cloud-security/gcp-security/gcp-persistance.md)
|
* [GCP - Persistance](cloud-security/gcp-security/gcp-persistance.md)
|
||||||
* [Workspace Security](cloud-security/gcp-security/workspace-security.md)
|
* [Workspace Security](cloud-security/workspace-security.md)
|
||||||
* [Github Security](cloud-security/github-security/README.md)
|
* [Github Security](cloud-security/github-security/README.md)
|
||||||
* [Basic Github Information](cloud-security/github-security/basic-github-information.md)
|
* [Basic Github Information](cloud-security/github-security/basic-github-information.md)
|
||||||
* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)
|
* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)
|
||||||
|
|
|
@ -1,10 +1,26 @@
|
||||||
# Workspace Security
|
# Workspace Security
|
||||||
|
|
||||||
## Google Groups Privesc
|
## Password Spraying
|
||||||
|
|
||||||
|
In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you can use a tool like [https://github.com/ustayready/CredKing](https://github.com/ustayready/CredKing) who will use AWS lambdas to change IP address.
|
||||||
|
|
||||||
|
## Google Groups Abuse
|
||||||
|
|
||||||
|
### Privesc
|
||||||
|
|
||||||
By default in workspace a **group** can be **freely accessed** by any member of the organization.\
|
By default in workspace a **group** can be **freely accessed** by any member of the organization.\
|
||||||
Workspace also allow to **grant permission to groups** (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may **abuse that path to escalate privileges**.
|
Workspace also allow to **grant permission to groups** (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may **abuse that path to escalate privileges**.
|
||||||
|
|
||||||
|
You potentially need access to the console to join groups that allow to be joined by anyone in the org.
|
||||||
|
|
||||||
|
### Invite to groups
|
||||||
|
|
||||||
|
Apparently by default you **can create groups and invite people to them**. You can then modify the email that will be sent to the user **adding some links** and the **email will come from google**, so it will looks **legit**.
|
||||||
|
|
||||||
|
## Hangout Phishing
|
||||||
|
|
||||||
|
You can modify an email account maybe naming it "Google Security" and adding some Google logos, and then send an invitation to talk to someone and they will think they are talking to google: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s) 
|
||||||
|
|
||||||
## Oauth Apps
|
## Oauth Apps
|
||||||
|
|
||||||
**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
|
**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
|
||||||
|
@ -50,11 +66,11 @@ If someone creates a **copy** of that **document** that **contained the App Scri
|
||||||
|
|
||||||
This method will be able to bypass also the Workspace admin restriction:
|
This method will be able to bypass also the Workspace admin restriction:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (662).png>)
|
![](<../.gitbook/assets/image (662).png>)
|
||||||
|
|
||||||
But can be prevented with:
|
But can be prevented with:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (632).png>)
|
![](<../.gitbook/assets/image (632).png>)
|
||||||
|
|
||||||
### Shared Document Unverified Prompt Bypass
|
### Shared Document Unverified Prompt Bypass
|
||||||
|
|
||||||
|
@ -73,6 +89,11 @@ This also means that if an **App Script already existed** and people has **grant
|
||||||
|
|
||||||
## Post-Exploitation
|
## Post-Exploitation
|
||||||
|
|
||||||
|
### Privesc to GCP
|
||||||
|
|
||||||
|
* Abusing the **google groups privesc** you might be able to escalate to a group with some kind of privileged access to GCP
|
||||||
|
* Abusing **OAuth applications** you might be able to impersonate users and access to GCP on their behalf
|
||||||
|
|
||||||
### Google Drive
|
### Google Drive
|
||||||
|
|
||||||
When **sharing** a document yo can **specify** the **people** that can access it one by one, **share** it with your **entire company** (**or** with some specific **groups**) by **generating a link**.
|
When **sharing** a document yo can **specify** the **people** that can access it one by one, **share** it with your **entire company** (**or** with some specific **groups**) by **generating a link**.
|
Loading…
Reference in a new issue