# Google Cloud VM Instances

## Introduction

Google Cloud provides secure and customizable compute service that lets you create and run virtual machines on Google’s infrastructure. Google cloud VMs provide scale-out workloads for best price-performance as compared to general-purpose VMs, useful for most demanding applications and workloads

## What we are going to cover?

We will setup a target VM instance that will host a vulnerable application and exploit the app to gain access to service account credentials.

## Steps to setup lab

**Note:** Setting up VMs in Google cloud will incur cost, however this is covered under the free credits that you have when you signed up to Google Cloud.

An image has been pre-created for the purpose of this lab. This image needs to be imported to your account and a vm instance needs to be created from it.

Before beginning, verify that you are using the correct account and project via gcloud cli

* Verify account - `gcloud auth list`
* Verify project - `gcloud config get project`

Please let the trainer know, or run the `gcloud config` commands to set these values correctly before proceeding.

### 1. Copying the VM Image to your account

* Run the following command in a student machine terminal to import the image to your account

```
gcloud compute images create gcloud-target-vm-nullcon-image --source-uri gs://artifacts-cloudsecurity-training-nullcon/vm-images/gcloud-target-vm-nullcon-image.tar.gz
```

Once the command has completed, you can see the image created in your account at <https://console.cloud.google.com/compute/images?tab=images>

### 2. Creating the VM from an Image

* Export some variables to setup the command

```
export GCLOUD_PROJECT=$(gcloud config get project)
export GCLOUD_PROJECT_NUMBER=$(gcloud projects list --format json --filter=projectId:$GCLOUD_PROJECT | jq .[].projectNumber | cut -d '"' -f2)
export DEFAULT_VM_SA=$GCLOUD_PROJECT_NUMBER-compute@developer.gserviceaccount.com
```

* Run the following commands in a student machine terminal to create a VM from the image that was just copied

```
gcloud compute instances create gcloud-target-vm-nullcon --project=$GCLOUD_PROJECT --zone=us-central1-a --machine-type=e2-micro --network-interface=network-tier=PREMIUM,subnet=default --maintenance-policy=MIGRATE --provisioning-model=STANDARD --service-account=$DEFAULT_VM_SA --scopes=https://www.googleapis.com/auth/cloud-platform --tags=http-server --create-disk=auto-delete=yes,boot=yes,device-name=gcloud-target-vm-nullcon,image=projects/$GCLOUD_PROJECT/global/images/gcloud-target-vm-nullcon-image,mode=rw,size=10,type=projects/$GCLOUD_PROJECT/zones/us-central1-a/diskTypes/pd-balanced --reservation-affinity=any
```

* Note down the external IP printed on screen.
* Updating the policy for lab exercises

```
gcloud projects add-iam-policy-binding $GCLOUD_PROJECT --member "serviceAccount:$DEFAULT_VM_SA" --role "roles/resourcemanager.projectIamAdmin" > /dev/null
```

### 3. Restricted access to Attacker Machine

**Remember, this is a deliberately vulnerable app and should not be run on production or facing the Internet. The vulnerability in here does not require any authentication or complex payloads to be exploited.**

* Run the following command to open port 80 on the Google Cloud Network firewall to allow traffic from the Attacker Machine in AWS

```
gcloud compute --project=$GCLOUD_PROJECT firewall-rules create allow-http-from-attacker --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:80 --source-ranges=$cloudhackerip/32 --target-tags=http-server
```

* Navigate to the external IP address via Firefox using an SSH tunnel to the attacker machine.

### 4. Creating Storage Objects to test exfiltration

We need to set up some storage buckets to test token validity and demonstrate exfiltration. Usually this would already be present on target accounts. Run the following commands to setup some storage objects in the target gcloud account. Run the commands one after the other.

```
gcloud alpha storage buckets create gs://production-data-$GCLOUD_PROJECT

gcloud alpha storage buckets create gs://customer-reports-$GCLOUD_PROJECT

wget https://access-appsecco-training.s3.amazonaws.com/gs-production-data/DataStoreThickClient.zip -O /tmp/DataStoreThickClient.zip

unzip /tmp/DataStoreThickClient.zip -d /tmp/ >/dev/null

gcloud alpha storage cp /tmp/DataStoreThickClient/* gs://production-data-$GCLOUD_PROJECT --gzip-in-flight-all --recursive

wget https://access-appsecco-training.s3.amazonaws.com/gs-customer-reports/customer-reports.zip -O /tmp/customer-reports.zip

unzip /tmp/customer-reports.zip -d /tmp/ >/dev/null

gcloud alpha storage cp /tmp/customer-reports/* gs://customer-reports-$GCLOUD_PROJECT --gzip-in-flight-all --recursive
```

## Additional Information

No Additional information for this section


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xcriminal.gitbook.io/about-me/cloudsec/compute-with-google-cloud/vm-instances/google-cloud-vm-instances.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.