RhinoSecurityLabs/GCP-IAM-Privilege-Escalation

# GCP 中的 IAM 权限提升 ## 目录 - `PrivEscScanner` 文件夹 - 包含一个用于 GCP 账户中所有成员的权限枚举器，以及一个相关的权限提升扫描器，该扫描器通过审查权限来查找权限提升漏洞。 - 首先运行 [enumerate_member_permissions.py](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/PrivEscScanner/enumerate_member_permissions.py) 来枚举所有成员和权限，然后运行 [check_for_privesc.py](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/PrivEscScanner/check_for_privesc.py) 来检查环境中的权限提升情况。 - `ExploitScripts` 文件夹 - 包含博文中概述的每种权限提升方法的利用脚本，以及针对某些需要它们的方法的 Cloud Function 和 Docker 镜像。 有关这些权限提升方法的更多信息、如何利用它们、它们所需的权限等，请参阅我们网站上的博文：[第 1 部分](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 和 [第 2 部分](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/) ## 当前 GCP IAM 权限提升方法列表 1. `cloudbuilds.builds.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py) / [博文](https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/) 2. `deploymentmanager.deployments.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 3. `iam.roles.update`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.roles.update.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 4. `iam.serviceAccounts.getAccessToken`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getAccessToken.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 5. `iam.serviceAccountKeys.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccountKeys.create.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 6. `iam.serviceAccounts.implicitDelegation`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.implicitDelegation.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 7. `iam.serviceAccounts.signBlob`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signBlob-accessToken.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 8. `iam.serviceAccounts.signJwt`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signJWT.py) / [博文]() 9. `cloudfunctions.functions.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.create-call.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 10. `cloudfunctions.functions.update`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.update.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 11. `compute.instances.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/compute.instances.create.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 12. `run.services.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/run.services.create.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 13. `cloudscheduler.jobs.create`：[博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) 14. `orgpolicy.policy.set`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/) 15. `storage.hmacKeys.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/) 16. `serviceusage.apiKeys.create`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/serviceusage.apiKeys.create.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/) 17. `serviceusage.apiKeys.list`：[脚本](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/serviceusage.apiKeys.list.py) / [博文](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-2/)

标签：Cloud Function, Docker, Exploit, GCP, IAM, PrivEscScanner, Python, Rhino Security Labs, RuleLab, 云计算, 协议分析, 安全防御评估, 提权, 攻击向量, 无后门, 权限提升, 权限枚举, 特权升级, 规则引擎, 请求拦截, 谷歌云, 身份与访问管理, 逆向工具