GCP - Add Custom SSH Metadata
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Metadata modification on an instance could lead to significant security risks if an attacker gains the necessary permissions.
On GCP, Linux systems often execute scripts from the Python Linux Guest Environment for Google Compute Engine. A critical component of this is the accounts daemon, which is designed to regularly check the instance metadata endpoint for updates to the authorized SSH public keys.
Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and integrated into the local system. The key will be added into ~/.ssh/authorized_keys
file of an existing user or potentially creating a new user with sudo
privileges, depending on the key's format. And the attacker will be able to compromise the host.
Examine Existing SSH Keys on the Instance:
Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under metadata
, specifically the ssh-keys
key.
Pay attention to the format of the SSH keys: the username precedes the key, separated by a colon.
Prepare a Text File for SSH Key Metadata:
Save the details of usernames and their corresponding SSH keys into a text file named meta.txt
. This is essential for preserving the existing keys while adding new ones.
Generate a New SSH Key for the Target User (alice
in this example):
Use the ssh-keygen
command to generate a new SSH key, ensuring that the comment field (-C
) matches the target username.
Add the new public key to meta.txt
, mimicking the format found in the instance's metadata.
Update the Instance's SSH Key Metadata:
Apply the updated SSH key metadata to the instance using the gcloud compute instances add-metadata
command.
Access the Instance Using the New SSH Key:
Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (alice
in this example).
If no interesting user is found, it's possible to create a new one which will be given sudo
privileges:
It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by applying SSH keys at the project level. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide:
Apply SSH Keys at the Project Level:
Use the gcloud compute project-info add-metadata
command to add SSH keys from meta.txt
to the project's metadata. This action ensures that the SSH keys are recognized across all VMs in the project, unless a VM has the "Block project-wide SSH keys" option enabled.
SSH into Instances Using Project-Wide Keys:
With project-wide SSH keys in place, you can SSH into any instance within the project. Instances that do not block project-wide keys will accept the SSH key, granting access.
A direct method to SSH into an instance is using the gcloud compute ssh [INSTANCE]
command. This command uses your current username and the SSH keys set at the project level to attempt access.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)