GCP - Filestore Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Google Cloud Filestore is a managed file storage service tailored for applications in need of both a filesystem interface and a shared filesystem for data. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases.
You can think of this like any other NFS shared document repository - a potential source of sensitive info.
When creating a Filestore instance it's possible to select the network where it's going to be accessible.
Moreover, by default all clients on the selected VPC network and region are going to be able to access it, however, it's possible to restrict the access also by IP address or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get depending on the IP address.
It can also be accessible via a Private Service Access Connection:
Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL.
Are between your VPC network and network owned by Google using a VPC peering, enabling your instances and services to communicate exclusively by using internal IP addresses.
Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision.
The VPC peering will import new routes to your VPC
It's possible to create backups of the File shares. These can be later restored in the origin new Fileshare instance or in new ones.
By default a Google-managed encryption key will be used to encrypt the data, but it's possible to select a Customer-managed encryption key (CMEK).
If you find a filestore available in the project, you can mount it from within your compromised Compute Instance. Use the following command to see if any exist.
Note that a filestore service might be in a completely new subnetwork created for it (inside a Private Service Access Connection, which is a VPC peer). So you might need to enumerate VPC peers to also run nmap over those network ranges.
There aren't ways to escalate privileges in GCP directly abusing this service, but using some Post Exploitation tricks it's possible to get access to the data and maybe you can find some credentials to escalate privileges:
GCP - Filestore Post ExploitationLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)