hacktricks-cloud/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md

# GCP - Compute Instances

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

Google Cloud Compute Instances are **customizable virtual machines on Google's cloud infrastructure**, offering scalable and on-demand computing power for a wide range of applications. They provide features like global deployment, persistent storage, flexible OS choices, and strong networking and security integrations, making them a versatile choice for hosting websites, processing data, and running applications efficiently in the cloud.

### Confidential VM

Confidential VMs use **hardware-based security features** offered by the latest generation of AMD EPYC processors, which include memory encryption and secure encrypted virtualization. These features enable the VM to protect the data processed and stored within it from even the host operating system and hypervisor.

To run a Confidential VM it might need to **change** things like the **type** of the **machine**, network **interface**, **boot disk image**.

### Disk & Disk Encryption

It's possible to **select the disk** to use or **create a new one**. If you select a new one you can:

* Select the **size** of the disk
* Select the **OS**
* Indicate if you want to **delete the disk when the instance is deleted**
* **Encryption**: By **default** a **Google managed key** will be used, but you can also **select a key from KMS** or indicate **raw key to use**.

### Deploy Container

It's possible to deploy a **container** inside the virtual machine.\
It possible to configure the **image** to use, set the **command** to run inside, **arguments**, mount a **volume**, and **env variables** (sensitive information?) and configure several options for this container like execute as **privileged**, stdin and pseudo TTY.

### Service Account

By default, the **Compute Engine default service account** will be used. The email of this SA is like: `<proj-num>-compute@developer.gserviceaccount.com`\
This service account has **Editor role over the whole project (high privileges).**

And the **default access scopes** are the following:

* **https://www.googleapis.com/auth/devstorage.read\_only** -- Read access to buckets :)
* https://www.googleapis.com/auth/logging.write
* https://www.googleapis.com/auth/monitoring.write
* https://www.googleapis.com/auth/servicecontrol
* https://www.googleapis.com/auth/service.management.readonly
* https://www.googleapis.com/auth/trace.append

However, it's possible to **grant it `cloud-platform` with a click** or specify **custom ones**.

<figure><img src="../../../../.gitbook/assets/image (327).png" alt=""><figcaption></figcaption></figure>

### Firewall

It's possible to allow HTTP and HTTPS traffic.

<figure><img src="../../../../.gitbook/assets/image (326).png" alt=""><figcaption></figcaption></figure>

### Networking

* **IP Forwarding**: It's possible to **enable IP forwarding** from the creation of the instance.
* **Hostname**: It's possible to give the instance a permanent hostname.
* **Interface**: It's possible to add a network interface

### Extra Security

These options will **increase the security** of the VM and are recommended:

* **Secure boot:** Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.
* **Enable vTPM:** Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.
* **Integrity supervision:** Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Requires vTPM to be enabled.

### VM Access

The common way to enable access to the VM is by **allowing certain SSH public keys** to access the VM.\
However, it's also possible to **enable the access to the VM vial `os-config` service using IAM**. Moreover, it's possible to enable 2FA to access the VM using this service.\
When this **service** is **enabled**, the access via **SSH keys is disabled.**

<figure><img src="../../../../.gitbook/assets/image (328).png" alt=""><figcaption></figcaption></figure>

### Metadata

It's possible to define **automation** (userdata in AWS) which are **shell commands** that will be executed every time the machine turns on or restarts.

It's also possible to **add extra metadata key-value values** that are going to be accessible from the metadata endpoint. This info is commonly used for environment variables and startup/shutdown scripts. This can be obtained using the **`describe` method** from a command in the enumeration section, but it could also be retrieved from the inside of the instance accessing the metadata endpoint.

```bash
# view project metadata
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
    -H "Metadata-Flavor: Google"

# view instance metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
    -H "Metadata-Flavor: Google"
```

Moreover, **auth token for the attached service account** and **general info** about the instance, network and project is also going to be available from the **metadata endpoint**. For more info check:

{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440" %}

### Encryption

A Google-managed encryption key is used by default a but a Customer-managed encryption key (CMEK) can be configured. You can also configure what to do when the used CMEF is revoked: Noting or shut down the VM.

<figure><img src="../../../../.gitbook/assets/image (329).png" alt=""><figcaption></figcaption></figure>

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}