GCP - Filestore Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Google Cloud Filestore is a managed file storage service tailored for applications in need of both a filesystem interface and a shared filesystem for data. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases.

You can think of this like any other NFS shared document repository - a potential source of sensitive info.


When creating a Filestore instance it's possible to select the network where it's going to be accessible.

Moreover, by default all clients on the selected VPC network and region are going to be able to access it, however, it's possible to restrict the access also by IP address or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get depending on the IP address.

It can also be accessible via a Private Service Access Connection:

  • Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL.

  • Are between your VPC network and network owned by Google using a VPC peering, enabling your instances and services to communicate exclusively by using internal IP addresses.

  • Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision.

  • The VPC peering will import new routes to your VPC


It's possible to create backups of the File shares. These can be later restored in the origin new Fileshare instance or in new ones.


By default a Google-managed encryption key will be used to encrypt the data, but it's possible to select a Customer-managed encryption key (CMEK).


If you find a filestore available in the project, you can mount it from within your compromised Compute Instance. Use the following command to see if any exist.

# Instances
gcloud filestore instances list # Check the IP address
gcloud filestore instances describe --zone <zone> <name> # Check IP and access restrictions

# Backups
gcloud filestore backups list
gcloud filestore backups describe --region <region> <backup>

# Search for NFS shares in a VPC subnet
sudo nmap -n -T5 -Pn -p 2049 --min-parallelism 100 --min-rate 1000 --open

Note that a filestore service might be in a completely new subnetwork created for it (inside a Private Service Access Connection, which is a VPC peer). So you might need to enumerate VPC peers to also run nmap over those network ranges.

# Get peerings
gcloud compute networks peerings list
# Get routes imported from a peering
gcloud compute networks peerings list-routes <peering-name> --network=<network-name> --region=<region> --direction=INCOMING

Privilege Escalation & Post Exploitation

There aren't ways to escalate privileges in GCP directly abusing this service, but using some Post Exploitation tricks it's possible to get access to the data and maybe you can find some credentials to escalate privileges:

pageGCP - Filestore Post Exploitation


pageGCP - Filestore Persistence
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated