GITBOOK-536: change request with no subject merged in GitBook

SUMMARY.md

@@ -115,6 +115,7 @@
     * [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md)
     * [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md)
     * [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md)
+    * [GCP - Compute Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md)
     * [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md)
     * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
   * [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md)
@@ -154,6 +155,7 @@
     * [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md)
     * [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md)
     * [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md)
+    * [GCP - Compute Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
     * [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md)
     * [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md)
       * [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md)

pentesting-cloud/gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/README.md

@@ -14,7 +14,13 @@ Other ways to support HackTricks:
 
 </details>
 
-## compute
+## Compute
+
+For more information about Compute and VPC (netowork) in GCP check:
+
+{% content-ref url="../../gcp-services/gcp-compute-instances-enum/" %}
+[gcp-compute-instances-enum](../../gcp-services/gcp-compute-instances-enum/)
+{% endcontent-ref %}
 
 ### `compute.projects.setCommonInstanceMetadata`
 
@@ -112,6 +118,12 @@ Use this permission to **get the previous permissions.**
 
 `TODO`
 
+### Local Privilege Escalation in GCP Compute instance
+
+{% content-ref url="../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %}
+[gcp-local-privilege-escalation-ssh-pivoting.md](../../../gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
+{% endcontent-ref %}
+
 ## References
 
 * [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)

pentesting-cloud/gcp-pentesting/gcp-services/gcp-compute-instances-enum/README.md

@@ -109,7 +109,19 @@ In the following page, you can check how to **abuse compute permissions to escal
 [gcp-compute-privesc](../../gcp-privilege-escalation/gcp-compute-privesc/)
 {% endcontent-ref %}
 
-### Serial Console Logs
+### Unauthenticated Enum
+
+{% content-ref url="../../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %}
+[gcp-compute-unauthenticated-enum.md](../../../gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
+{% endcontent-ref %}
+
+### Persistence
+
+{% content-ref url="../../../gcp-security/gcp-persistence/gcp-compute-persistence.md" %}
+[gcp-compute-persistence.md](../../../gcp-security/gcp-persistence/gcp-compute-persistence.md)
+{% endcontent-ref %}
+
+## Serial Console Logs
 
 Compute Engine Serial Console Logs are a feature that allows you to **view and diagnose the boot and operating system logs** of your virtual machine instances.
 
@@ -205,7 +217,7 @@ The **snapshot** will use the **same encryption as the disk** it's taken from.
 
 ### Enumeration
 
-```
+```bash
 gcloud compute snapshots list
 gcloud compute snapshots describe <snapshot>
 gcloud compute snapshots get-iam-policy <snapshot>

pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md

@@ -0,0 +1,49 @@
+# GCP - Compute Persistence
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* &#x20;github repos.
+
+</details>
+
+## Compute
+
+For more informatoin about Compute and VPC (Networking) check:
+
+{% content-ref url="../../gcp-pentesting/gcp-services/gcp-compute-instances-enum/" %}
+[gcp-compute-instances-enum](../../gcp-pentesting/gcp-services/gcp-compute-instances-enum/)
+{% endcontent-ref %}
+
+### Persistence abusing Instances & backups
+
+* Backdoor existing VMs
+* Backdoor disk images and snapshots creating new versions
+* Create new accessible instance with a privileged SA
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* &#x20;github repos.
+
+</details>

pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md

@@ -46,11 +46,11 @@ Most of the following proposed permissions are **given to the default Compute SA
 
 Check the following permissions:
 
-* ****[**compute.instances.osLogin**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.oslogin)****
-* ****[**compute.instances.osAdminLogin**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.osadminlogin)****
-* ****[**compute.projects.setCommonInstanceMetadata**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.projects.setcommoninstancemetadata)****
-* ****[**compute.instances.setMetadata**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.setmetadata)****
-* ****[**compute.instances.setIamPolicy**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.setiampolicy)****
+* [**compute.instances.osLogin**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.oslogin)
+* [**compute.instances.osAdminLogin**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.osadminlogin)
+* [**compute.projects.setCommonInstanceMetadata**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.projects.setcommoninstancemetadata)
+* [**compute.instances.setMetadata**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.setmetadata)
+* [**compute.instances.setIamPolicy**](../../gcp-pentesting/gcp-privilege-escalation/gcp-compute-privesc/#compute.instances.setiampolicy)
 
 ## Search for Keys in the filesystem
 
@@ -64,10 +64,10 @@ sudo find / -name "gcloud"
 
 You can manually inspect the files inside, but these are generally the ones with the secrets:
 
-* \~/.config/gcloud/credentials.db
-* \~/.config/gcloud/legacy\_credentials/\[ACCOUNT]/adc.json
-* \~/.config/gcloud/legacy\_credentials/\[ACCOUNT]/.boto
-* \~/.credentials.json
+* `~/.config/gcloud/credentials.db`
+* `~/.config/gcloud/legacy_credentials/[ACCOUNT]/adc.json`
+* `~/.config/gcloud/legacy_credentials/[ACCOUNT]/.boto`
+* `~/.credentials.json`
 
 Now, you have the option of looking for clear text credentials in these files or simply copying the entire `gcloud` folder to a machine you control and running `gcloud auth list` to see what accounts are now available to you.
 
@@ -105,6 +105,10 @@ grep -Pzr '(?s)<form action.*?googleapis.com.*?name="signature" value=".*?">' \
     "$TARGET_DIR"
 ```
 
+## References
+
+* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

pentesting-cloud/gcp-security/gcp-unaunthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md

@@ -0,0 +1,53 @@
+# GCP - Compute Unauthenticated Enum
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* &#x20;github repos.
+
+</details>
+
+## Compute
+
+For more information about Compute and VPC (Networking) check:
+
+{% content-ref url="../../gcp-pentesting/gcp-services/gcp-compute-instances-enum/" %}
+[gcp-compute-instances-enum](../../gcp-pentesting/gcp-services/gcp-compute-instances-enum/)
+{% endcontent-ref %}
+
+### SSRF - Server Side Request Forgery
+
+If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check:
+
+{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery" %}
+
+### Vulnerable exposed services
+
+If a GCP instance has a vulnerable exposed service an attacker could abuse it to compromise it.
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
+*
+*
+* &#x20;github repos.
+
+</details>