Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/carlospolop/monitor-backdoor-appengine
https://github.com/carlospolop/monitor-backdoor-appengine
Last synced: 11 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/carlospolop/monitor-backdoor-appengine
- Owner: carlospolop
- Created: 2024-09-09T13:15:29.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2024-09-09T13:30:30.000Z (2 months ago)
- Last Synced: 2024-09-09T16:18:18.312Z (2 months ago)
- Language: Python
- Size: 4.88 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Monitor & Backdoor App Engine
AppEngine versions generate some data inside a bucket with the format name: `staging..appspot.com`. Inside this bucket, it's possible to find a folder called `ae` that will contain a folder per version of the AppEngine app and inside these folders it'll be possible to find the `manifest.json` file. This file contains a json with all the files that must be used to create the specific version. Moreover, it's possible to find the **real names of the files, the URL to them inside the GCP bucket (the files inside the bucket changed their name for their sha1 hash) and the sha1 hash of each file.**
*Note that it's not possible to pre-takeover this bucket because GCP users aren't authorized to generate buckets using the domain name appspot.com.*
However, with read & write access over this bucket, it's possible to escalate privileges to the SA attached to the App Engine version by monitoring the bucket and any time a change is performed (new version), modify the new version as fast as possible. This way, the container that gets created from this code will execute the backdoored code.
The mentioned attack can be performed in a lot of different ways, all of them start by monitoring the `staging..appspot.com` bucket:
- Upload the complete new code of the AppEngine version to a different and available bucket and prepare a `manifest.json` file with the new bucket name and sha1 hashes of them. Then, when a new version is created inside the bucket, you just need to modify the `manifest.json` file and upload the malicious one.
- Upload a modified `requirements.txt` version that will use a the malicious dependencie code and upate the `manifest.json` file with the new filename, URL and the hash of it.
- Upload a modified `main.py` or `app.yaml` file that will execute the malicious code and update the `manifest.json` file with the new filename, URL and the hash of it.
The script contained inside this folder will monitor the bucket and when a new version is created, it will backdoor it by modifying the `manifest.json` file. Therefore, before performing the attack you need to upload the backdoored files to an accessible bucket and update the `manifest.json` file of this repo with the new filenames, URLs and sha1 hashes. You have some examples of files you could update inside the folder `example_files/`.
Find more information in https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc#app-engine
```bash
# Installation
python3 -m pip install -r requirements.txt
python3 backdoor_appengine_bucket.py
#e.g.
python3 backdoor_appengine_bucket.py staging.gcp-labs-3uis1xlx.appspot.com
```