GCP - Artifact Registry Persistence
{{#include ../../../banners/hacktricks-training.md}}
Artifact Registry
For more information about Artifact Registry check:
{{#ref}}
../gcp-services/gcp-artifact-registry-enum.md
{{#endref}}
Dependency Confusion
- What happens if a remote and a standard repositories are mixed in a virtual one and a package exists in both?
- The one with the highest priority set in the virtual repository is used
- If the priority is the same:
- If the version is the same, the policy name alphabetically first in the virtual repository is used
- If not, the highest version is used
β οΈ Caution
Therefore, it's possible to **abuse a highest version (dependency confusion)** in a public package registry if the remote repository has a higher or same priority
This technique can be useful for persistence and unauthenticated access as to abuse it it just require to know a library name stored in Artifact Registry and create that same library in the public repository (PyPi for python for example) with a higher version.
For persistence these are the steps you need to follow:
- Requirements: A virtual repository must exist and be used, an internal package with a name that doesn't exist in the public repository must be used.
- Create a remote repository if it doesn't exist
- Add the remote repository to the virtual repository
- Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository.\
Run something like: - gcloud artifacts repositories update --upstream-policy-file ...
- Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!
For more information about dependency confusion check:
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/dependency-confusion.html
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}