GCP - Compute Instances

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

Google Cloud Compute Instances are customizable virtual machines on Google's cloud infrastructure, offering scalable and on-demand computing power for a wide range of applications. They provide features like global deployment, persistent storage, flexible OS choices, and strong networking and security integrations, making them a versatile choice for hosting websites, processing data, and running applications efficiently in the cloud.

Confidential VM

Confidential VMs use hardware-based security features offered by the latest generation of AMD EPYC processors, which include memory encryption and secure encrypted virtualization. These features enable the VM to protect the data processed and stored within it from even the host operating system and hypervisor.

To run a Confidential VM it might need to change things like the type of the machine, network interface, boot disk image.

Disk & Disk Encryption

It's possible to select the disk to use or create a new one. If you select a new one you can:

  • Select the size of the disk
  • Select the OS
  • Indicate if you want to delete the disk when the instance is deleted
  • Encryption: By default a Google managed key will be used, but you can also select a key from KMS or indicate raw key to use.

Deploy Container

It's possible to deploy a container inside the virtual machine.
It possible to configure the image to use, set the command to run inside, arguments, mount a volume, and env variables (sensitive information?) and configure several options for this container like execute as privileged, stdin and pseudo TTY.

Service Account

By default, the Compute Engine default service account will be used. The email of this SA is like: <proj-num>-compute@developer.gserviceaccount.com
This service account has Editor role over the whole project (high privileges).

And the default access scopes are the following:

  • https://www.googleapis.com/auth/devstorage.read_only -- Read access to buckets :)
  • https://www.googleapis.com/auth/logging.write
  • https://www.googleapis.com/auth/monitoring.write
  • https://www.googleapis.com/auth/servicecontrol
  • https://www.googleapis.com/auth/service.management.readonly
  • https://www.googleapis.com/auth/trace.append

However, it's possible to grant it cloud-platform with a click or specify custom ones.

Firewall

It's possible to allow HTTP and HTTPS traffic.

Networking

  • IP Forwarding: It's possible to enable IP forwarding from the creation of the instance.
  • Hostname: It's possible to give the instance a permanent hostname.
  • Interface: It's possible to add a network interface

Extra Security

These options will increase the security of the VM and are recommended:

  • Secure boot: Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.
  • Enable vTPM: Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.
  • Integrity supervision: Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Requires vTPM to be enabled.

VM Access

The common way to enable access to the VM is by allowing certain SSH public keys to access the VM.
However, it's also possible to enable the access to the VM vial os-config service using IAM. Moreover, it's possible to enable 2FA to access the VM using this service.
When this service is enabled, the access via SSH keys is disabled.

Metadata

It's possible to define automation (userdata in AWS) which are shell commands that will be executed every time the machine turns on or restarts.

It's also possible to add extra metadata key-value values that are going to be accessible from the metadata endpoint. This info is commonly used for environment variables and startup/shutdown scripts. This can be obtained using the describe method from a command in the enumeration section, but it could also be retrieved from the inside of the instance accessing the metadata endpoint.

bash
# view project metadata
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
    -H "Metadata-Flavor: Google"

# view instance metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
    -H "Metadata-Flavor: Google"

Moreover, auth token for the attached service account and general info about the instance, network and project is also going to be available from the metadata endpoint. For more info check:

Cloud SSRF - HackTricks

Encryption

A Google-managed encryption key is used by default a but a Customer-managed encryption key (CMEK) can be configured. You can also configure what to do when the used CMEF is revoked: Noting or shut down the VM.

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks