GCP - Compute Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

GCP VPC & Networking

Learn about how this works in:

pageGCP - VPC & Networking

Enumeration

# List networks
gcloud compute networks list
gcloud compute networks describe <network>

# List subnetworks
gcloud compute networks subnets list
gcloud compute networks subnets get-iam-policy <name> --region <region>
gcloud compute networks subnets describe <name> --region <region>

# List FW rules in networks
gcloud compute firewall-rules list --format="table(
                name,
                network,
                direction,
                priority,
                sourceRanges.list():label=SRC_RANGES,
                destinationRanges.list():label=DEST_RANGES,
                allowed[].map().firewall_rule().list():label=ALLOW,
                denied[].map().firewall_rule().list():label=DENY,
                sourceTags.list():label=SRC_TAGS,
                sourceServiceAccounts.list():label=SRC_SVC_ACCT,
                targetTags.list():label=TARGET_TAGS,
                targetServiceAccounts.list():label=TARGET_SVC_ACCT,
                disabled
            )"

# List Hierarchical Firewalls
gcloud compute firewall-policies list  (--folder <value>| --organization <value>)
gcloud compute firewall-policies describe <fw_policy>
gcloud compute firewall-policies list-rules <fw_policy>

# Get Firewalls of each region
gcloud compute network-firewall-policies list
## Get final FWs applied in a region
gcloud compute network-firewall-policies get-effective-firewalls --network=<vpc_name> --region <region>

You easily find compute instances with open firewall rules with https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum

Compute instances

This is the way you can run virtual machines inside GCP. Check this page for more information:

pageGCP - Compute Instances

Enumeration

# Get list of zones
# It's interesting to know which zones are being used
gcloud compute regions list | grep -E "NAME|[^0]/"

# List compute instances & get info
gcloud compute instances list
gcloud compute instances describe <instance name>
gcloud compute instances get-iam-policy <instance> --zone=ZONE
gcloud compute instances get-screenshot <instance name> # Instace must have "Display Device" enabled
gcloud compute instances os-inventory list-instances # Get OS info of instances (OS Config agent is running on instances)


# Enumerate disks
gcloud compute disks list
gcloud compute disks describe <disk>
gcloud compute disks get-iam-policy <disk>

For more information about how to SSH or modify the metadata of an instance to escalate privileges, check this page:

pageGCP - local privilege escalation ssh pivoting

Privilege Escalation

In the following page, you can check how to abuse compute permissions to escalate privileges:

pageGCP - Compute Privesc

Unauthenticated Enum

pageGCP - Compute Unauthenticated Enum

Post Exploitation

pageGCP - Compute Post Exploitation

Persistence

pageGCP - Compute Persistence

Serial Console Logs

Compute Engine Serial Console Logs are a feature that allows you to view and diagnose the boot and operating system logs of your virtual machine instances.

Serial Console Logs provide a low-level view of the instance's boot process, including kernel messages, init scripts, and other system events that occur during boot-up. This can be useful for debugging boot issues, identifying misconfigurations or software errors, or troubleshooting network connectivity problems.

These logs may expose sensitive information from the system logs which low privileged user may not usually see, but with the appropriate IAM permissions you may be able to read them.

You can use the following gcloud command to query the serial port logs (the permission required is compute.instances.getSerialPortOutput):

gcloud compute instances get-serial-port-output <instance-name>

Startup Scripts output

It's possible to see the output of the statup scripts from the VM executing:

sudo journalctl -u google-startup-scripts.service

OS Configuration Manager

You can use the OS configuration management service to deploy, query, and maintain consistent configurations (desired state and software) for your VM instance (VM). On Compute Engine, you must use guest policies to maintain consistent software configurations on a VM.

The OS Configuration management feature allows you to define configuration policies that specify which software packages should be installed, which services should be enabled, and which files or configurations should be present on your VMs. You can use a declarative approach to managing the software configuration of your VMs, which enables you to automate and scale your configuration management process more easily.

This also allow to login in instances via IAM permissions, so it's very useful for privesc and pivoting.

In order to enable os-config in a whole project or in an instance you just need to set the metadata key enable-oslogin to true at the desired level. Moreover, you can set the metadata enable-oslogin-2fa to true to enable the 2fa.

When you enable it when crating an instance the metadata keys will be automatically set.

More about 2fa in OS-config, it only applies if the user is a user, if it's a SA (like the compute SA) it won't require anything extra.

Enumeration

gcloud compute os-config patch-deployments list
gcloud compute os-config patch-deployments describe <patch-deployment>

gcloud compute os-config patch-jobs list
gcloud compute os-config patch-jobs describe <patch-job>

Images

Custom Images

Custom compute images may contain sensitive details or other vulnerable configurations that you can exploit.

When an image is created you can choose 3 types of encryption: Using Google managed key (default), a key from KMS, or a raw key given by the client.

Enumeration

You can query the list of non-standard images in a project with the following command:

gcloud compute machine-images list
gcloud compute machine-images describe <name>
gcloud compute machine-images get-iam-policy <name>

You can then export the virtual disks from any image in multiple formats. The following command would export the image test-image in qcow2 format, allowing you to download the file and build a VM locally for further investigation:

gcloud compute images export --image test-image \
    --export-format qcow2 --destination-uri [BUCKET]
    
# Execute container inside a docker
docker run --rm -ti gcr.io/<project-name>/secret:v1 sh

Privilege Escalation

Check the Compute Instances privilege escalation section.

Custom Instance Templates

An instance template defines instance properties to help deploy consistent configurations. These may contain the same types of sensitive data as a running instance's custom metadata. You can use the following commands to investigate:

# List the available templates
gcloud compute instance-templates list

# Get the details of a specific template
gcloud compute instance-templates describe [TEMPLATE NAME]

It could be interesting to know which disk is new images using, but these templates won't usually have sensitive information.

Snapshots

The snapshots are backups of disks. Note that this is not the same as cloning a disk (another available feature). The snapshot will use the same encryption as the disk it's taken from.

Enumeration

gcloud compute snapshots list
gcloud compute snapshots describe <snapshot>
gcloud compute snapshots get-iam-policy <snapshot>

Privilege Escalation

Check the Compute Instances privilege escalation section.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated