# GCP - local privilege escalation ssh pivoting {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} in this scenario we are going to suppose that you **have compromised a non privilege account** inside a VM in a Compute Engine project. Amazingly, GPC permissions of the compute engine you have compromised may help you to **escalate privileges locally inside a machine**. Even if that won't always be very helpful in a cloud environment, it's good to know it's possible. ## Read the scripts **Compute Instances** are probably there to **execute some scripts** to perform actions with their service accounts. As IAM is go granular, an account may have **read/write** privileges over a resource but **no list privileges**. A great hypothetical example of this is a Compute Instance that has permission to read/write backups to a storage bucket called `instance82736-long-term-xyz-archive-0332893`. Running `gsutil ls` from the command line returns nothing, as the service account is lacking the `storage.buckets.list` IAM permission. However, if you ran `gsutil ls gs://instance82736-long-term-xyz-archive-0332893` you may find a complete filesystem backup, giving you clear-text access to data that your local Linux account lacks. You may be able to find this bucket name inside a script (in bash, Python, Ruby...). ## Custom Metadata Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the **instance** and **project level**. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts. Moreover, it's possible to add **userdata**, which is a script that will be **executed everytime** the machine is started or restarted and that can be **accessed from the metadata endpoint also.** For more info check: {% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} ## **Abusing IAM permissions** Most of the following proposed permissions are **given to the default Compute SA,** the only problem is that the **default access scope prevents the SA from using them**. However, if **`cloud-platform`** **scope** is enabled or just the **`compute`** **scope** is enabled, you will be **able to abuse them**. Check the following permissions: * [**compute.instances.osLogin**](gcp-compute-privesc/#compute.instances.oslogin) * [**compute.instances.osAdminLogin**](gcp-compute-privesc/#compute.instances.osadminlogin) * [**compute.projects.setCommonInstanceMetadata**](gcp-compute-privesc/#compute.projects.setcommoninstancemetadata) * [**compute.instances.setMetadata**](gcp-compute-privesc/#compute.instances.setmetadata) * [**compute.instances.setIamPolicy**](gcp-compute-privesc/#compute.instances.setiampolicy) ## Search for Keys in the filesystem Check if other users have loggedin in gcloud inside the box and left their credentials in the filesystem: ``` sudo find / -name "gcloud" ``` These are the most interesting files: * `~/.config/gcloud/credentials.db` * `~/.config/gcloud/legacy_credentials/[ACCOUNT]/adc.json` * `~/.config/gcloud/legacy_credentials/[ACCOUNT]/.boto` * `~/.credentials.json` ### More API Keys regexes ```bash TARGET_DIR="/path/to/whatever" # Service account keys grep -Pzr "(?s){[^{}]*?service_account[^{}]*?private_key.*?}" \ "$TARGET_DIR" # Legacy GCP creds grep -Pzr "(?s){[^{}]*?client_id[^{}]*?client_secret.*?}" \ "$TARGET_DIR" # Google API keys grep -Pr "AIza[a-zA-Z0-9\\-_]{35}" \ "$TARGET_DIR" # Google OAuth tokens grep -Pr "ya29\.[a-zA-Z0-9_-]{100,200}" \ "$TARGET_DIR" # Generic SSH keys grep -Pzr "(?s)-----BEGIN[ A-Z]*?PRIVATE KEY[a-zA-Z0-9/\+=\n-]*?END[ A-Z]*?PRIVATE KEY-----" \ "$TARGET_DIR" # Signed storage URLs grep -Pir "storage.googleapis.com.*?Goog-Signature=[a-f0-9]+" \ "$TARGET_DIR" # Signed policy documents in HTML grep -Pzr '(?s)
' \ "$TARGET_DIR" ``` ## References * [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}