Upgrade to Pro — share decks privately, control downloads, hide ads and more …

It's All in the Cloud - Red Teaming GCP (Google Cloud Platform)

18ad4afa3f7c77bd84c3300505468aa0?s=47 TweekFawkes
February 22, 2019

It's All in the Cloud - Red Teaming GCP (Google Cloud Platform)

Initial research on Red Teaming GCP (Google Cloud Platform) presented at BSidesSLC on Feb. 22nd 2019.

18ad4afa3f7c77bd84c3300505468aa0?s=128

TweekFawkes

February 22, 2019
Tweet

Transcript

  1. Stage 2 Security Version 1.0 Copyright 2019 by Stage 2

    Security It's All in the Cloud Red Teaming GCP (Google Cloud Platform)
  2. Copyright 2019 by Stage 2 Security Stage 2 Security Agenda

    Bryce Kunz @TweekFawkes - Who Am I? - GCP Overview - Compute Engine - Storage - Kubernetes (K8s) - Persistence
  3. Copyright 2019 by Stage 2 Security Stage 2 Security Past

    WhoAmI Defense DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX)
  4. Copyright 2019 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present Services Test Teach Hunt
  5. Copyright 2019 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present
  6. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud Overview Overview
  7. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Management UI Web Management Console -> https://Console.Cloud.Google.com
  8. Copyright 2019 by Stage 2 Security Stage 2 Security Management

    UI Control Plane (APIs) Data Plane Management UI Cloud Admin
  9. Copyright 2019 by Stage 2 Security Stage 2 Security Control

    Plane (APIs) Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom
  10. Copyright 2019 by Stage 2 Security Stage 2 Security Data

    Plane Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom USERS
  11. Copyright 2019 by Stage 2 Security Stage 2 Security Compute

    Engine Overview
  12. Copyright 2019 by Stage 2 Security Stage 2 Security Data

    Center Firewall Server Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images 10.1.1.2 Internet 1 GET /app?img=b.jpg 2 3 4
  13. Copyright 2019 by Stage 2 Security Stage 2 Security Server

    Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images Internet Data Center Firewall 1 GET /?img=http://10.1.1.1/... 2 3 4 0
  14. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Server Side Request Forgery (SSRF) ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  15. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  16. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  17. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service HTTP Header ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  18. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service HTTP Header ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  19. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    v1beta1 ? ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  20. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    v1beta1 ! ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  21. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  22. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  23. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  24. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  25. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  26. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Validate User Tokens https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ACCESS_T OKEN ...
  27. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Default Access ...
  28. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Management UI Web Management Console -> https://Console.Cloud.Google.com
  29. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Compute Engine Identity and API Access
  30. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Compute Engine Identity and API Access
  31. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Full Access ...
  32. Copyright 2019 by Stage 2 Security Stage 2 Security Storage

    Overview
  33. Copyright 2019 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...
  34. Copyright 2019 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...
  35. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Storage Public Buckets... ...
  36. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Accessing Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg storage.googleapis.com -> GCP its_all_in_the_cloud -> Globally Unique Bucket Name object001.jpg -> Object Name ...
  37. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Listable Buckets ...
  38. Copyright 2019 by Stage 2 Security Stage 2 Security GoBuster

    - Finding Buckets & Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg gobuster -m dir -u “https://storage.googleapis.com” -i -t 100 -e -s 200,204 -w quickdir.txt
  39. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    (K8s) Overview
  40. Copyright 2019 by Stage 2 Security Stage 2 Security Telsa

    K8s hacked! Unsecure Admin Console... ...
  41. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  42. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  43. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  44. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    /bin/cat /proc/1/cgroup ...
  45. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    ls / ...
  46. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pid 1 is not init or launchd ...
  47. Copyright 2019 by Stage 2 Security Stage 2 Security Default

    Service Account Find secrets: • /var/run/secrets/kuberenetes.io/serviceaccount/token ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  48. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    Python via Memory Only Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  49. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    Python via Memory Only Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  50. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pyscript Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  51. Copyright 2019 by Stage 2 Security Stage 2 Security Container

    Escapes Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  52. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pyscript to access_token via metadata Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254
  53. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pyscript to access_token via metadata Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  54. Copyright 2019 by Stage 2 Security Stage 2 Security Container

    Escapes Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc • CVE-2016-5195 -> Dirty Cow ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  55. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    API Kubernetes API Vulnerabilities: • CVE-2018-1002105 -> kubernetes: authentication/authorization bypass ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  56. Copyright 2019 by Stage 2 Security Stage 2 Security Docker:

    2375/TCP (no auth.), 2376/TCP (TLS) Lateral Movement: • EDB-ID: 42356 -> Unprotected TCP Socket ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  57. Copyright 2019 by Stage 2 Security Stage 2 Security Persistence

    Overview
  58. Copyright 2019 by Stage 2 Security Stage 2 Security Client-Side

    Vectors: • Remote Mac Exploitation Via Custom URL Schemes Ref: https://objective-see.com/blog/blog_0x38.html
  59. Copyright 2019 by Stage 2 Security Stage 2 Security Browser

    Cookies Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP Ref: https://wunderwuzzi23.github.io/blog/passthecookie.html
  60. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP ...
  61. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell: .bashrc modification • ...
  62. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell -> .bashrc -> Voodoo • ...
  63. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell -> .bashrc -> Voodoo -> Private Key • ...
  64. Copyright 2019 by Stage 2 Security Stage 2 Security Trainings

    @ BlackHat & On-Site! Thank You! Bryce@Stage2Sec.com