GCP - Compute Enum
Reading time: 8 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
GCP VPC & Networking
Learn about how this works in:
Enumeration
# List networks
gcloud compute networks list
gcloud compute networks describe <network>
# List subnetworks
gcloud compute networks subnets list
gcloud compute networks subnets get-iam-policy <name> --region <region>
gcloud compute networks subnets describe <name> --region <region>
# List FW rules in networks
gcloud compute firewall-rules list --format="table(
name,
network,
direction,
priority,
sourceRanges.list():label=SRC_RANGES,
destinationRanges.list():label=DEST_RANGES,
allowed[].map().firewall_rule().list():label=ALLOW,
denied[].map().firewall_rule().list():label=DENY,
sourceTags.list():label=SRC_TAGS,
sourceServiceAccounts.list():label=SRC_SVC_ACCT,
targetTags.list():label=TARGET_TAGS,
targetServiceAccounts.list():label=TARGET_SVC_ACCT,
disabled
)"
# List Hierarchical Firewalls
gcloud compute firewall-policies list (--folder <value>| --organization <value>)
gcloud compute firewall-policies describe <fw_policy>
gcloud compute firewall-policies list-rules <fw_policy>
# Get Firewalls of each region
gcloud compute network-firewall-policies list
## Get final FWs applied in a region
gcloud compute network-firewall-policies get-effective-firewalls --network=<vpc_name> --region <region>
You easily find compute instances with open firewall rules with https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum
Compute instances
This is the way you can run virtual machines inside GCP. Check this page for more information:
Enumeration
# Get list of zones
# It's interesting to know which zones are being used
gcloud compute regions list | grep -E "NAME|[^0]/"
# List compute instances & get info
gcloud compute instances list
gcloud compute instances describe <instance name>
gcloud compute instances get-iam-policy <instance> --zone=ZONE
gcloud compute instances get-screenshot <instance name> # Instace must have "Display Device" enabled
gcloud compute instances os-inventory list-instances # Get OS info of instances (OS Config agent is running on instances)
# Enumerate disks
gcloud compute disks list
gcloud compute disks describe <disk>
gcloud compute disks get-iam-policy <disk>
For more information about how to SSH or modify the metadata of an instance to escalate privileges, check this page:
GCP - local privilege escalation ssh pivoting
Privilege Escalation
In the following page, you can check how to abuse compute permissions to escalate privileges:
Unauthenticated Enum
GCP - Compute Unauthenticated Enum
Post Exploitation
GCP - Compute Post Exploitation
Persistence
Serial Console Logs
Compute Engine Serial Console Logs are a feature that allows you to view and diagnose the boot and operating system logs of your virtual machine instances.
Serial Console Logs provide a low-level view of the instance's boot process, including kernel messages, init scripts, and other system events that occur during boot-up. This can be useful for debugging boot issues, identifying misconfigurations or software errors, or troubleshooting network connectivity problems.
These logs may expose sensitive information from the system logs which low privileged user may not usually see, but with the appropriate IAM permissions you may be able to read them.
You can use the following gcloud command to query the serial port logs (the permission required is compute.instances.getSerialPortOutput
):
gcloud compute instances get-serial-port-output <instance-name>
Startup Scripts output
It's possible to see the output of the statup scripts from the VM executing:
sudo journalctl -u google-startup-scripts.service
OS Configuration Manager
You can use the OS configuration management service to deploy, query, and maintain consistent configurations (desired state and software) for your VM instance (VM). On Compute Engine, you must use guest policies to maintain consistent software configurations on a VM.
The OS Configuration management feature allows you to define configuration policies that specify which software packages should be installed, which services should be enabled, and which files or configurations should be present on your VMs. You can use a declarative approach to managing the software configuration of your VMs, which enables you to automate and scale your configuration management process more easily.
This also allow to login in instances via IAM permissions, so it's very useful for privesc and pivoting.
warning
In order to enable os-config in a whole project or in an instance you just need to set the metadata key enable-oslogin
to true
at the desired level.
Moreover, you can set the metadata enable-oslogin-2fa
to true
to enable the 2fa.
When you enable it when crating an instance the metadata keys will be automatically set.
More about 2fa in OS-config, it only applies if the user is a user, if it's a SA (like the compute SA) it won't require anything extra.
Enumeration
gcloud compute os-config patch-deployments list
gcloud compute os-config patch-deployments describe <patch-deployment>
gcloud compute os-config patch-jobs list
gcloud compute os-config patch-jobs describe <patch-job>
Images
Custom Images
Custom compute images may contain sensitive details or other vulnerable configurations that you can exploit.
When an image is created you can choose 3 types of encryption: Using Google managed key (default), a key from KMS, or a raw key given by the client.
Enumeration
You can query the list of non-standard images in a project with the following command:
gcloud compute machine-images list
gcloud compute machine-images describe <name>
gcloud compute machine-images get-iam-policy <name>
You can then export the virtual disks from any image in multiple formats. The following command would export the image test-image
in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
gcloud compute images export --image test-image \
--export-format qcow2 --destination-uri [BUCKET]
# Execute container inside a docker
docker run --rm -ti gcr.io/<project-name>/secret:v1 sh
Privilege Escalation
Check the Compute Instances privilege escalation section.
Custom Instance Templates
An instance template defines instance properties to help deploy consistent configurations. These may contain the same types of sensitive data as a running instance's custom metadata. You can use the following commands to investigate:
# List the available templates
gcloud compute instance-templates list
# Get the details of a specific template
gcloud compute instance-templates describe [TEMPLATE NAME]
It could be interesting to know which disk is new images using, but these templates won't usually have sensitive information.
Snapshots
The snapshots are backups of disks. Note that this is not the same as cloning a disk (another available feature).
The snapshot will use the same encryption as the disk it's taken from.
Enumeration
gcloud compute snapshots list
gcloud compute snapshots describe <snapshot>
gcloud compute snapshots get-iam-policy <snapshot>
Privilege Escalation
Check the Compute Instances privilege escalation section.
References
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.