GCP - Filestore Enum
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Google Cloud Filestore is a managed file storage service tailored for applications in need of both a filesystem interface and a shared filesystem for data. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases.
You can think of this like any other NFS shared document repository - a potential source of sensitive info.
Connections
When creating a Filestore instance it's possible to select the network where it's going to be accessible.
Moreover, by default all clients on the selected VPC network and region are going to be able to access it, however, it's possible to restrict the access also by IP address or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get depending on the IP address.
It can also be accessible via a Private Service Access Connection:
- Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL.
- Are between your VPC network and network owned by Google using a VPC peering, enabling your instances and services to communicate exclusively by using internal IP addresses.
- Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision.
- The VPC peering will import new routes to your VPC
Backups
It's possible to create backups of the File shares. These can be later restored in the origin new Fileshare instance or in new ones.
Encryption
By default a Google-managed encryption key will be used to encrypt the data, but it's possible to select a Customer-managed encryption key (CMEK).
Enumeration
If you find a filestore available in the project, you can mount it from within your compromised Compute Instance. Use the following command to see if any exist.
# Instances
gcloud filestore instances list # Check the IP address
gcloud filestore instances describe --zone <zone> <name> # Check IP and access restrictions
# Backups
gcloud filestore backups list
gcloud filestore backups describe --region <region> <backup>
# Search for NFS shares in a VPC subnet
sudo nmap -n -T5 -Pn -p 2049 --min-parallelism 100 --min-rate 1000 --open 10.99.160.2/20
caution
Note that a filestore service might be in a completely new subnetwork created for it (inside a Private Service Access Connection, which is a VPC peer).
So you might need to enumerate VPC peers to also run nmap over those network ranges.
# Get peerings
gcloud compute networks peerings list
# Get routes imported from a peering
gcloud compute networks peerings list-routes <peering-name> --network=<network-name> --region=<region> --direction=INCOMING
Privilege Escalation & Post Exploitation
There aren't ways to escalate privileges in GCP directly abusing this service, but using some Post Exploitation tricks it's possible to get access to the data and maybe you can find some credentials to escalate privileges:
GCP - Filestore Post Exploitation
Persistence
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.