Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn about how this works in:
GCP - VPC & NetworkingYou easily find compute instances with open firewall rules with https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum
This is the way you can run virtual machines inside GCP. Check this page for more information:
GCP - Compute InstancesFor more information about how to SSH or modify the metadata of an instance to escalate privileges, check this page:
GCP - local privilege escalation ssh pivotingIn the following page, you can check how to abuse compute permissions to escalate privileges:
GCP - Compute PrivescCompute Engine Serial Console Logs are a feature that allows you to view and diagnose the boot and operating system logs of your virtual machine instances.
Serial Console Logs provide a low-level view of the instance's boot process, including kernel messages, init scripts, and other system events that occur during boot-up. This can be useful for debugging boot issues, identifying misconfigurations or software errors, or troubleshooting network connectivity problems.
These logs may expose sensitive information from the system logs which low privileged user may not usually see, but with the appropriate IAM permissions you may be able to read them.
You can use the following gcloud command to query the serial port logs (the permission required is compute.instances.getSerialPortOutput):
It's possible to see the output of the statup scripts from the VM executing:
You can use the OS configuration management service to deploy, query, and maintain consistent configurations (desired state and software) for your VM instance (VM). On Compute Engine, you must use guest policies to maintain consistent software configurations on a VM.
The OS Configuration management feature allows you to define configuration policies that specify which software packages should be installed, which services should be enabled, and which files or configurations should be present on your VMs. You can use a declarative approach to managing the software configuration of your VMs, which enables you to automate and scale your configuration management process more easily.
This also allow to login in instances via IAM permissions, so it's very useful for privesc and pivoting.
In order to enable os-config in a whole project or in an instance you just need to set the metadata key enable-oslogin to true at the desired level.
Moreover, you can set the metadata enable-oslogin-2fa to true to enable the 2fa.
When you enable it when crating an instance the metadata keys will be automatically set.
More about 2fa in OS-config, it only applies if the user is a user, if it's a SA (like the compute SA) it won't require anything extra.
Custom compute images may contain sensitive details or other vulnerable configurations that you can exploit.
When an image is created you can choose 3 types of encryption: Using Google managed key (default), a key from KMS, or a raw key given by the client.
You can query the list of non-standard images in a project with the following command:
You can then export the virtual disks from any image in multiple formats. The following command would export the image test-image in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
Check the Compute Instances privilege escalation section.
An instance template defines instance properties to help deploy consistent configurations. These may contain the same types of sensitive data as a running instance's custom metadata. You can use the following commands to investigate:
It could be interesting to know which disk is new images using, but these templates won't usually have sensitive information.
The snapshots are backups of disks. Note that this is not the same as cloning a disk (another available feature). The snapshot will use the same encryption as the disk it's taken from.
Check the Compute Instances privilege escalation section.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
