It's All in the Cloud - Red Teaming GCP (Google Cloud Platform)

Stage 2 Security Version 1.0 Copyright 2019 by Stage 2
Security It's All in the Cloud Red Teaming GCP (Google Cloud Platform)

Copyright 2019 by Stage 2 Security Stage 2 Security Agenda
Bryce Kunz @TweekFawkes - Who Am I? - GCP Overview - Compute Engine - Storage - Kubernetes (K8s) - Persistence

Copyright 2019 by Stage 2 Security Stage 2 Security Past
WhoAmI Defense DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX)

Copyright 2019 by Stage 2 Security Stage 2 Security WhoAmI
- The Present Services Test Teach Hunt

Copyright 2019 by Stage 2 Security Stage 2 Security WhoAmI
- The Present

Copyright 2019 by Stage 2 Security Stage 2 Security GCP:
Cloud Overview Overview

Management UI Web Management Console -> https://Console.Cloud.Google.com

Copyright 2019 by Stage 2 Security Stage 2 Security Management
UI Control Plane (APIs) Data Plane Management UI Cloud Admin

Copyright 2019 by Stage 2 Security Stage 2 Security Control
Plane (APIs) Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom

Copyright 2019 by Stage 2 Security Stage 2 Security Data
Plane Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom USERS

Copyright 2019 by Stage 2 Security Stage 2 Security Compute
Engine Overview

Copyright 2019 by Stage 2 Security Stage 2 Security Data
Center Firewall Server Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images 10.1.1.2 Internet 1 GET /app?img=b.jpg 2 3 4

Copyright 2019 by Stage 2 Security Stage 2 Security Server
Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images Internet Data Center Firewall 1 GET /?img=http://10.1.1.1/... 2 3 4 0

Server Side Request Forgery (SSRF) ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

Metadata Service ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

Metadata Service HTTP Header ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

v1beta1 ? ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

v1beta1 ! ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...

Validate User Tokens https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ACCESS_T OKEN ...

Default Access ...

Management UI Web Management Console -> https://Console.Cloud.Google.com

Compute Engine Identity and API Access

Full Access ...

Copyright 2019 by Stage 2 Security Stage 2 Security Storage
Overview

Copyright 2019 by Stage 2 Security Stage 2 Security 2017:
May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...

Storage Public Buckets... ...

Accessing Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg storage.googleapis.com -> GCP its_all_in_the_cloud -> Globally Unique Bucket Name object001.jpg -> Object Name ...

Listable Buckets ...

Copyright 2019 by Stage 2 Security Stage 2 Security GoBuster
- Finding Buckets & Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg gobuster -m dir -u “https://storage.googleapis.com” -i -t 100 -e -s 200,204 -w quickdir.txt

Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes
(K8s) Overview

Copyright 2019 by Stage 2 Security Stage 2 Security Telsa
K8s hacked! Unsecure Admin Console... ...

Overview Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...

Overview Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:
/bin/cat /proc/1/cgroup ...

ls / ...

pid 1 is not init or launchd ...

Copyright 2019 by Stage 2 Security Stage 2 Security Default
Service Account Find secrets: • /var/run/secrets/kuberenetes.io/serviceaccount/token ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

Python via Memory Only Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...

Python via Memory Only Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

pyscript Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...

Copyright 2019 by Stage 2 Security Stage 2 Security Container
Escapes Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...

pyscript to access_token via metadata Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254

pyscript to access_token via metadata Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...

Copyright 2019 by Stage 2 Security Stage 2 Security Container
Escapes Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc • CVE-2016-5195 -> Dirty Cow ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

API Kubernetes API Vulnerabilities: • CVE-2018-1002105 -> kubernetes: authentication/authorization bypass ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

Copyright 2019 by Stage 2 Security Stage 2 Security Docker:
2375/TCP (no auth.), 2376/TCP (TLS) Lateral Movement: • EDB-ID: 42356 -> Unprotected TCP Socket ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

Copyright 2019 by Stage 2 Security Stage 2 Security Client-Side
Vectors: • Remote Mac Exploitation Via Custom URL Schemes Ref: https://objective-see.com/blog/blog_0x38.html

Copyright 2019 by Stage 2 Security Stage 2 Security Browser
Cookies Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP Ref: https://wunderwuzzi23.github.io/blog/passthecookie.html

Copyright 2019 by Stage 2 Security Stage 2 Security Cloud
Shell Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP ...

Shell: .bashrc modification • ...

Shell -> .bashrc -> Voodoo • ...

Shell -> .bashrc -> Voodoo -> Private Key • ...

Copyright 2019 by Stage 2 Security Stage 2 Security Trainings
@ BlackHat & On-Site! Thank You! [email protected]

It's All in the Cloud - Red Teaming GCP (Google Cloud Platform)

It's All in the Cloud - Red Teaming GCP (Google Cloud Platform)

More Decks by TweekFawkes

Other Decks in Technology

Featured

Transcript