diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..d7961cab39
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index d7961cab39..ece9585b82 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index ece9585b82..3048b65efa 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 3048b65efa..fb52dbc6cd 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index fb52dbc6cd..ce50798209 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index ce50798209..fb5aa4f77c 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index fb5aa4f77c..0f269bd025 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 0f269bd025..66bce84492 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png
index 66bce84492..cf55c03e28 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png
index cf55c03e28..7e59066fb8 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png
index 7e59066fb8..a66b921a15 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png
index a66b921a15..6e6b14ecd4 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png
index 6e6b14ecd4..67281e0416 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index 67281e0416..0b02740595 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index 0b02740595..f6d47edde9 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index f6d47edde9..e521aaf21b 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index e521aaf21b..9484a40cb8 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index e21179bea2..29534f8dc0 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -76,6 +76,7 @@
* [GCP - Cloud Build Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md)
* [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md)
* [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md)
+ * [GCP - Cloud SQL Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
* [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md)
* [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md)
* [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md)
@@ -110,6 +111,7 @@
* [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md)
* [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md)
* [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md)
+ * [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md)
* [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md)
* [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
* [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md)
@@ -118,7 +120,7 @@
* [GCP - Cloud Build Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md)
* [GCP - Cloud Functions Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-functions-enum.md)
* [GCP - Cloud Run Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-run-enum.md)
- * [GCP - Cloud SQL](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql.md)
+ * [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md)
* [GCP - Compute Enum](pentesting-cloud/gcp-pentesting/gcp-services/gcp-compute-instances-enum/README.md)
* [GCP - Compute Instance](pentesting-cloud/gcp-pentesting/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md)
* [GCP - VPC & Networking](pentesting-cloud/gcp-pentesting/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md)
@@ -146,6 +148,7 @@
* [GCP - Cloud Build Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md)
* [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
* [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
+ * [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md)
* [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md)
* [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md)
* [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md)
diff --git a/pentesting-ci-cd/okta-security/README.md b/pentesting-ci-cd/okta-security/README.md
index 86ba8df0f8..06a8273caf 100644
--- a/pentesting-ci-cd/okta-security/README.md
+++ b/pentesting-ci-cd/okta-security/README.md
@@ -64,11 +64,11 @@ getST.py -spn HTTP/clientname.kerberos.okta.com -dc-ip 1.2.3.4 LAB/comprommisedu
With a ticket retrieved for the AD user, we need to inject this on a host we control using Rubeus or Mimikatz:
-
+
You’ll need to make sure that `clientname.kerberos.okta.com` is added to the “Intranet” security zone in Internet Options. And then, in our browser, if we hit the below URL, we should find that we receive a JSON response providing an `OK` result when the Kerberos ticket is accepted:
-
+
Heading over to the Okta dashboard, if everything is OK, you’ll be signed in.
diff --git a/pentesting-ci-cd/travisci-security/README.md b/pentesting-ci-cd/travisci-security/README.md
index 8ded31c4c4..a9254a1bf2 100644
--- a/pentesting-ci-cd/travisci-security/README.md
+++ b/pentesting-ci-cd/travisci-security/README.md
@@ -44,7 +44,7 @@ It looks like It's not possible to set crons inside the `.travis.yml` according
TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
- (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Dumping Secrets
diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md
index 73b732161f..aa40cc96ee 100644
--- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md
+++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md
@@ -106,7 +106,7 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
{% endhint %}
-
+
### Generic KMS Ransomware
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
index 6a0ff28f02..4c7b44f86a 100644
--- a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -62,7 +62,7 @@ Note that ECR requires that users have **permission** to make calls to the **`ec
It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
-
+
First, you need to give the external account access over the registry with a **registry policy** like:
diff --git a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
index 2d8bec676e..5d46cf6f0c 100644
--- a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
+++ b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
@@ -248,7 +248,7 @@ It's possible to generate API keys in the API Gateway portal and even set how mu
To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
-
+
## Unauthenticated Access
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
index 5bd02d1b58..3cc19aa1df 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -46,7 +46,7 @@ The “upgrade” from normal refresh token to primary refresh token is not poss
If there is a policy that requires MFA to sign in, we can instead use the `interactiveauth` module:
-
+
The resulting refresh token (which is cached in the `.roadtools_auth` file) can be used to request a token for the device registration service, where we can create the device:
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md
index 314c68d9ee..f78c0e6764 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md
@@ -113,7 +113,7 @@ Tokens were written to .roadtools_auth
There’s also other options you can use to specify other resources or the correct redirect URL for the app you are using:
-
+
## Selenium based Azure AD authentication
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
index 9082e3d1b3..a2651a46b7 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
@@ -43,7 +43,7 @@ The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync
It's possible to extract the configuration from one of the tables, being one encrypted:
-
+
The **encrypted configuration** is encrypted with **DPAPI** and it contains the **passwords of the `MSOL_*`** user in on-prem AD and the password of **Sync\_\*** in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD.
diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
index 9596a84634..c78cd14e91 100644
--- a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
+++ b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
@@ -213,7 +213,7 @@ az network vnet subnet list --resource-group --vnet-name
+
**Service Endpoints:**
diff --git a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md
index 7a83b7d3fc..8a7a3d5a75 100644
--- a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md
+++ b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md
@@ -70,7 +70,7 @@ Once a connection is generated, you can use it to **link repositories that the G
This option is available through the button:
-
+
{% hint style="success" %}
Note that repositories connected with this method are **only available in Triggers using 2nd generation.**
diff --git a/pentesting-cloud/gcp-security/gcp-basic-information.md b/pentesting-cloud/gcp-security/gcp-basic-information.md
index 629141ee54..11b18b6593 100644
--- a/pentesting-cloud/gcp-security/gcp-basic-information.md
+++ b/pentesting-cloud/gcp-security/gcp-basic-information.md
@@ -168,7 +168,7 @@ When an organisation is created several groups are **strongly suggested to be cr
* No expiration
* If people is accessing Workspace through a third party provider, these requirements aren't applied.
-
+
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md
new file mode 100644
index 0000000000..0e68d95e3a
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md
@@ -0,0 +1,68 @@
+# GCP - Cloud SQL Persistence
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* github repos.
+
+
+
+## Cloud SQL
+
+For more information about Cloud SQL check:
+
+{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
+[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
+{% endcontent-ref %}
+
+### Expose the database and whitelist your IP address
+
+A database only accessible from an internal VPC can be exposed externally and your IP address can be whitelisted so you can access it.\
+For more information check the technique in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+### Create a new user / Update users password / Get password of a user
+
+To connect to a database you **just need access to the port** exposed by the database and a **username** and **password**. With e**nough privileges** you could **create a new user** or **update** an existing user **password**.\
+Another option would be to **brute force the password of an user** by trying several password or by accessing the **hashed** password of the user inside the database (if possible) and cracking it.\
+Remember that **it's possible to list the users of a database** using GCP API.
+
+{% hint style="info" %}
+You can create/update users using GCP API or from inside the databae if you have enough permissions.
+{% endhint %}
+
+For more information check the technique in:
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* github repos.
+
+
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
new file mode 100644
index 0000000000..462442f40b
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
@@ -0,0 +1,129 @@
+# GCP - Cloud SQL Post Exploitation
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Cloud SQL
+
+For more information about Cloud SQL check:
+
+{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
+[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
+{% endcontent-ref %}
+
+### `cloudsql.instances.update`, ( `cloudsql.instances.get`)
+
+To connect to the databases you **just need access to the database port** and know the **username** and **password**, there isn't any IAM requirements. So, an easy way to get access, supposing that the database has a public IP address, is to update the allowed networks and **allow your own IP address to access it**.
+
+```bash
+# Use --assign-ip to make the database get a public IPv4
+gcloud sql instances patch $INSTANCE_NAME \
+ --authorized-networks "$(curl ifconfig.me)" \
+ --assign-ip \
+ --quiet
+
+mysql -h # If mysql
+
+# With cloudsql.instances.get you can use gcloud directly
+gcloud sql connect mysql --user=root --quiet
+```
+
+It's also possible to use **`--no-backup`** to **disrupt the backups** of the database.
+
+As these are the requirements I'm not completely sure what are the permissions **`cloudsql.instances.connect`** and **`cloudsql.instances.login`** for. If you know it send a PR!
+
+### `cloudsql.users.list`
+
+Get a **list of all the users** of the database:
+
+```bash
+gcloud sql users list --instance
+```
+
+### `cloudsql.users.create`
+
+This permission allows to **create a new user inside** the database:
+
+```bash
+gcloud sql users create --instance --password
+```
+
+### `cloudsql.users.update`
+
+This permission allows to **update user inside** the database. For example, you could change its password:
+
+{% code overflow="wrap" %}
+```bash
+gcloud sql users set-password --instance --password
+```
+{% endcode %}
+
+### `cloudsql.instances.restoreBackup`, `cloudsql.backupRuns.get`
+
+Backups might contain **old sensitive information**, so it's interesting to check them.\
+**Restore a backup** inside a database:
+
+```bash
+gcloud sql backups restore --restore-instance
+```
+
+To do it in a more stealth way it's recommended to create a new SQL instance and recover the data there instead of in the currently running databases.
+
+### `cloudsql.backupRuns.delete`
+
+This permission allow to delete backups:
+
+```bash
+gcloud sql backups delete --instance
+```
+
+### `cloudsql.instances.export`, `storage.objects.create`
+
+**Export a database** to a Cloud Storage Bucket so you can access it from there:
+
+```bash
+# Export sql format, it could also be csv and bak
+gcloud sql export sql
+```
+
+### `cloudsql.instances.import`, `storage.objects.get`
+
+**Import a database** (overwrite) from a Cloud Storage Bucket:
+
+```bash
+# Import format SQL, you could also import formats bak and csv
+gcloud sql import sql
+```
+
+### `cloudsql.databases.delete`
+
+Delete a database from the db instance:
+
+```bash
+gcloud sql databases delete --instance
+```
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
similarity index 80%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql.md
rename to pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
index 542bb7099e..fd3feb127b 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql.md
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
@@ -1,4 +1,4 @@
-# GCP - Cloud SQL
+# GCP - Cloud SQL Enum
@@ -35,7 +35,7 @@ Key features of Google Cloud SQL include:
In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":**
-
+
It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default.
@@ -56,7 +56,7 @@ By default a Google-managed encryption key is used, but it's also **possible to
* **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database
* **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it**
-
+
### Data Protection
@@ -64,6 +64,43 @@ By default a Google-managed encryption key is used, but it's also **possible to
* **Point-in-time recovery**: Allows you to recover data from a specific point in time, down to a fraction of a second.
* **Deletion Protection**: If enabled, the DB won't be able to be deleted until this feature is disabled
+### Enumeration
+
+```bash
+# Get SQL instances
+gcloud sql instances list
+gcloud sql instances describe # get IPs, CACert, settings
+
+# Get database names inside an instance (like information_schema, sys...)
+gcloud sql databases list --instance
+gcloud sql databases describe --instance
+
+# Get usernames inside the db instance
+gcloud sql users list --instance
+
+# Backups
+gcloud sql backups list --instance
+gcloud sql backups describe --instance
+```
+
+### Unauthenticated Enum
+
+{% content-ref url="../gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md" %}
+[gcp-cloud-sql-unauthenticated-enum.md](../gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Post Exploitation
+
+{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %}
+[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../gcp-persistence/gcp-cloud-sql-persistence.md" %}
+[gcp-cloud-sql-persistence.md](../gcp-persistence/gcp-cloud-sql-persistence.md)
+{% endcontent-ref %}
+
Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
diff --git a/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md
new file mode 100644
index 0000000000..5bf1b560f9
--- /dev/null
+++ b/pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md
@@ -0,0 +1,47 @@
+# GCP - Cloud SQL Unauthenticated Enum
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Cloud SQL
+
+For more infromation about Cloud SQL check:
+
+{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
+[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
+{% endcontent-ref %}
+
+### Brute Force
+
+If you have **access to a Cloud SQL port** because all internet is permitted or for any other reason, you can try to brute force credentials.
+
+Check this page for **different tools to burte-force** different database technologies:
+
+{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force" %}
+
+Remember that with some privileges it's possible to **list all the database users** via GCP API.
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1).png)
 (1) (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1).png)
.png)