-
Notifications
You must be signed in to change notification settings - Fork 56
Expand file tree
/
Copy pathlw_gcp_exploit.sh
More file actions
executable file
·109 lines (94 loc) · 3.42 KB
/
lw_gcp_exploit.sh
File metadata and controls
executable file
·109 lines (94 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/sh
# Lacework sample GCP exploit
# Creates a new service account user with editor privileges for the specified project_id, then creates a GCP storage bucket and puts a file into it.
# The script then cleans up after itself, deleting the bucket and the user.
# Accepts an optional argument for the username that gets created, otherwise defaults to 'system'
set -e
red=$'\e[1;31m'
grn=$'\e[1;32m'
yel=$'\e[1;33m'
blu=$'\e[1;34m'
mag=$'\e[1;35m'
cyn=$'\e[1;36m'
end=$'\e[0m'
usage="$(basename "$0") [-h] [-p <PROJECT_ID>] [-u <USERNAME>]
This is a script to simulate a malicious execution event in a GCP environment.
Arguments:
-h show this help text
-p set the project ID
-u set the username (default: system)
"
USERNAME=system
while getopts ':hp:u:' option; do
case "$option" in
h) echo "$usage"
exit
;;
p) PROJECT_ID=${OPTARG}
;;
u) USERNAME=${OPTARG}
;;
:) printf "Missing argument for -%s\n" "$OPTARG" >&2
echo "$usage" >&2
exit 1
;;
\?) printf "Illegal option: -%s\n" "$OPTARG" >&2
echo "$usage" >&2
exit 1
;;
esac
done
shift $((OPTIND - 1))
if [ -z "$PROJECT_ID" ]; then
echo "Missing project ID option. Use -h for help message."
exit 1
fi
IAM_ACCOUNT=$USERNAME@$PROJECT_ID.iam.gserviceaccount.com
# Saving core.account
CORE_ACCOUNT=$(gcloud config list account --format "value(core.account)" --format=json | jq -r .core.account)
CORE_ACCOUNT_PROJECT_ID=$(gcloud config get-value project)
echo "${grn}Stashing core account settings ${mag}$CORE_ACCOUNT${end}"
echo ""
# Setting Project
gcloud config set project $PROJECT_ID
echo "${grn}Setting core account project to ${mag}$PROJECT_ID${end}"
echo ""
# Create a new IAM user
echo "${grn}Creating a new IAM user called ${mag}$USERNAME${end}"
echo ""
gcloud iam service-accounts create $USERNAME --format=json | jq
gcloud iam service-accounts keys create creds.json --iam-account=$IAM_ACCOUNT --format=json | jq
echo ""
echo "${grn}Granting Editor access to ${mag}$USERNAME${end}"
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$IAM_ACCOUNT" --role=roles/editor --format=json | jq
echo ""
echo ""
gcloud auth activate-service-account --key-file=creds.json
KEY=$(cat creds.json | jq -r .private_key_id)
# Here we start using the new account profile and creds
echo ""
echo "${grn}Creating a new GCP Storage bucket and uploading a file...${end}"
BUCKET=lacework-test-$RANDOM
gsutil mb -p $PROJECT_ID -l US-EAST1 gs://$BUCKET
curl -s -H "Accept: application/json" https://icanhazdadjoke.com/ > badfile.json
echo ""
echo "${grn}Uploading secret data...${end}"
gsutil cp badfile.json gs://$BUCKET/
echo ""
echo "${grn}Data uploaded. Preparing to destroy...${end}"
sleep 5
echo ""
echo "${grn}Deleting file and GCP Storage bucket...${end}"
gsutil rm -r gs://$BUCKET
echo ""
# Exit back out to our regular context
echo "${grn}Cleaning up...${end}"
gcloud iam service-accounts keys delete $KEY --iam-account=$IAM_ACCOUNT --quiet
gcloud iam service-accounts delete $IAM_ACCOUNT --quiet
echo ""
echo "${grn}Reinitializing original context with ${mag}$CORE_ACCOUNT ${grn}${grn}${grn}${grn}${grn}${grn}${grn}${grn}${grn}with project_id ${mag}$CORE_ACCOUNT_PROJECT_ID${end}"
gcloud config set account $CORE_ACCOUNT
gcloud config set project $CORE_ACCOUNT_PROJECT_ID
rm creds.json badfile.json
echo ""
echo "${cyn}Script complete. Check your Lacework console for activity in about an hour.${end}"