GCP - Cloud Shell Post Exploitation
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about Cloud Shell check:
Note that the Google Cloud Shell runs inside a container, you can easily escape to the host by doing:
This is not considered a vulnerability by google, but it gives you a wider vision of what is happening in that env.
Moreover, notice that from the host you can find a service account token:
With the following scopes:
Enumerate metadata with LinPEAS:
After using https://github.com/carlospolop/bf_my_gcp_permissions with the token of the Service Account no permission was discovered...
If you want to use your google cloud shell instance as proxy you need to run the following commands (or insert them in the .bashrc file):
Just for let you know Squid is a http proxy server. Create a squid.conf file with the following settings:
copy the squid.conf file to /etc/squid
Finally run the squid service:
Use ngrok to let the proxy be available from outside:
After running copy the tcp:// url. If you want to run the proxy from a browser it is suggested to remove the tcp:// part and the port and put the port in the port field of your browser proxy settings (squid is a http proxy server).
For better use at startup the .bashrc file should have the following lines:
The instructions were copied from https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key. Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)