May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)

Transcript

1. Stage 2 Security Version 1.0 Copyright 2019 by Stage 2

   Security May the Cloud Be with You! Red Teaming GCP (Google Cloud Platform)

2. Copyright 2019 by Stage 2 Security Stage 2 Security Agenda

   Bryce Kunz @TweekFawkes - Who Am I? - GCP Overview - Compute Engine - Storage - Kubernetes (K8s) - Persistence within GCP

3. Copyright 2019 by Stage 2 Security Stage 2 Security Defense

   DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes

4. Copyright 2019 by Stage 2 Security Stage 2 Security Defense

   DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

5. Copyright 2019 by Stage 2 Security Stage 2 Security Defense

   DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

6. Copyright 2019 by Stage 2 Security Stage 2 Security GCP

   Overview Overview

7. Copyright 2019 by Stage 2 Security Stage 2 Security Management

   UI Control Plane (APIs) Data Plane Management UI Cloud Admin Web Management Console -> https://Console.Cloud.Google.com

8. Copyright 2019 by Stage 2 Security Stage 2 Security Control

   Plane (APIs) Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom

9. Copyright 2019 by Stage 2 Security Stage 2 Security Data

   Plane Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom USERS

10. Copyright 2019 by Stage 2 Security Stage 2 Security Compute

    Engine Overview

11. Copyright 2019 by Stage 2 Security Stage 2 Security Data

    Center Firewall Server Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images 10.1.1.2 Internet 1 GET /app?img=b.jpg 2 3 4

12. Copyright 2019 by Stage 2 Security Stage 2 Security Server

    Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images Internet Data Center Firewall 1 GET /?img=http://10.1.1.1/... 2 3 4 0

13. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Server Side Request Forgery (SSRF) ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

14. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

15. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

16. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service HTTP Header ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

17. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service HTTP Header ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

18. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    v1beta1 ? ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

19. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    v1beta1 ! ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance

20. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...

21. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...

22. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://35.247.8.30/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://35.247.8.30/extimage?p=http://metadata.google.internal/computeMet adata/v1beta1/instance/service-accounts/default/token ...

23. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://35.247.8.30/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://35.247.8.30/extimage?p=http://metadata.google.internal/computeMet adata/v1beta1/instance/service-accounts/default/token ...

24. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Validate User Tokens https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ACCESS_T OKEN ...

25. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Default Access ...

26. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Management UI Web Management Console -> https://Console.Cloud.Google.com

27. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE New VM Instance Google Compute Engine (GCE) Default: • Identity and API Access • Firewall • Startup script (Optional) • Metadata (Optional) Defaults: • Block project-wide SSH keys (unchecked) • Disk Encryption (Google-managed key) ...

28. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE Identity and API Access Access scopes: • read-only access to Storage and Service Management, • write access to Stackdriver Logging and Monitoring, • read/write access to Service Control. ...

29. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Compute Engine Identity and API Access

30. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Compute Engine Identity and API Access

31. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Full Access ...

32. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Scripts https://github.com/Stage2Sec/CaptureTheCloud • gcp_get_token_gce_header.py ◦ get access token from metadata service via HTTP header • gcp_get_token_gce_v1beta1.py ◦ get access token from metadata service via v1beta1 URI • gcp_check_token.py ◦ check access token is valid & it’s scope via googleapis.com ...

33. Copyright 2019 by Stage 2 Security Stage 2 Security Storage

    Overview

34. Copyright 2019 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...

35. Copyright 2019 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...

36. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Storage Public Buckets... ...

37. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Accessing Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg storage.googleapis.com -> GCP its_all_in_the_cloud -> Globally Unique Bucket Name object001.jpg -> Object Name ...

38. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Listable Buckets ...

39. Copyright 2019 by Stage 2 Security Stage 2 Security GoBuster

    - Finding Buckets & Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg gobuster -m dir -u “https://storage.googleapis.com” -i -t 100 -e -s 200,204 -w quickdir.txt

40. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Compute Engine Identity and API Access

41. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud IAM Policies Policies bind Members to Roles... • Member: User, Group, etc… • Roles: Collection of Permissions ◦ similar to AWS IAM Policies • eg Permission: Compute.Instances.Start ...at a specific hierarchy levels: • Org, Folder, Project, or Resource Who can do what to which thing?

42. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    (K8s) & Google Kubernetes Engine (GKE)

43. Copyright 2019 by Stage 2 Security Stage 2 Security ...

    Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

44. Copyright 2019 by Stage 2 Security Stage 2 Security K8s

    Env: /bin/cat /proc/1/cgroup ...

45. Copyright 2019 by Stage 2 Security Stage 2 Security K8s

    Env: ls / ...

46. Copyright 2019 by Stage 2 Security Stage 2 Security K8s

    Env: pid 1 is not init or launchd ...

47. Copyright 2019 by Stage 2 Security Stage 2 Security Default

    Service Account Credential (token) kube-system associates a pod is with a service account w/ credential (token) • /var/run/secrets/kubernetes.io/serviceaccount/token ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

48. Copyright 2019 by Stage 2 Security Stage 2 Security Access

    Token via metadata Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254

49. Copyright 2019 by Stage 2 Security Stage 2 Security Access

    Token via metadata Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...

50. Copyright 2019 by Stage 2 Security Stage 2 Security .../v1/instance/attributes/kube-env

    • Masquerading as the Kubelet • To the K8s API ◦ -H "Metadata-Flavor: Google" ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254

51. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    certificate and the Kubelet private key • Masquerading as the Kubelet • To the K8s API ◦ -H "Metadata-Flavor: Google" • Some more steps here… ◦ See references Refs: https:/ /www.4armed.com/blog/hacking-kubelet-on-gke/ https:/ /hackerone.com/reports/341876 etc... Infrastructure: Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254

52. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Port: 10250/TCP, 10255/TCP Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

53. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Port: 10250/TCP, 10255/TCP Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

54. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Port: 10250/TCP, 10255/TCP ...

55. Copyright 2019 by Stage 2 Security Stage 2 Security Container

    Escapes Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc • CVE-2016-5195 -> Dirty Cow ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

56. Copyright 2019 by Stage 2 Security Stage 2 Security Container

    Escapes Container Escape Techniques: • Run Container in Cluster ◦ With Root File System Mounted! ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

57. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    API Kubernetes API Vulnerabilities: • CVE-2018-1002105 -> kubernetes: authentication/authorization bypass ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

58. Copyright 2019 by Stage 2 Security Stage 2 Security Docker:

    2375/TCP (no auth.), 2376/TCP (TLS) Lateral Movement: • EDB-ID: 42356 -> Unprotected TCP Socket ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

59. Copyright 2019 by Stage 2 Security Stage 2 Security Persistence

    in GCP Overview

60. Copyright 2019 by Stage 2 Security Stage 2 Security Data

    Plane Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom USERS

61. Copyright 2019 by Stage 2 Security Stage 2 Security Client-Side

    Vectors: • 201911 - Remote Mac Exploitation via XLM macros • 201808 - Remote Mac Exploitation Via Custom URL Schemes Refs: https:/ /kb.cert.org/vuls/id/125336/ https:/ /objective-see.com/blog/blog_0x38.html

62. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...

63. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...

64. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...

65. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...

66. Copyright 2019 by Stage 2 Security Stage 2 Security Browser

    Cookies • Root Access -> Export (Safari, Chrome, Firefox, etc...) -> See References • No Root Access -> cookie_crimes for Chrome -> https://github.com/defaultnamehere/cookie_crimes GCP Ref: https:/ /wunderwuzzi23.github.io/blog/passthecookie.html https:/ /maxchadwick.xyz/blog/exporting-your-browser-cookies-on-a-mac

67. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP ...

68. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell: .bashrc modification • ...

69. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell -> .bashrc -> Voodoo • ...

70. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell -> .bashrc -> Voodoo -> Private Key • ...

71. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP ...

72. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell ...

73. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell ...

74. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell ...

75. Copyright 2019 by Stage 2 Security Stage 2 Security Persistence

    in K8s Overview

76. Copyright 2019 by Stage 2 Security Stage 2 Security Default

    Service Account Find secrets: • /var/run/secrets/kuberenetes.io/serviceaccount/token ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl

77. Copyright 2019 by Stage 2 Security Stage 2 Security AuthN

    Authentication (AuthN) • Prove Your ID ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN - Bearer Tokens - Client Certs - OIDC AD, etc.. Control kubectl

78. Copyright 2019 by Stage 2 Security Stage 2 Security AuthZ

    Authorization (AuthZ) • Is User Allowed... ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings

79. Copyright 2019 by Stage 2 Security Stage 2 Security Admission

    Control Admission Control • Policy Enforcement ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings Admission Control Mutating Validating

80. Copyright 2019 by Stage 2 Security Stage 2 Security External

    Admission Control • Policy Enforcement ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings Admission Control Mutating Validating External Admission Control via Webhooks

81. Copyright 2019 by Stage 2 Security Stage 2 Security Mutating!

    Admission Control • Policy Enforcement ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings Admission Control Mutating Validating External Admission Control via Webhooks Persist!

82. Copyright 2019 by Stage 2 Security Stage 2 Security Trainings

    @ BlackHat & On-Site! Thank You! [email protected] .sh @TweekFawkes