# GCP

<figure><img src="/files/jCr7XpODyUgNrGfh3We3" alt=""><figcaption></figcaption></figure>

## Initial Access

{% embed url="<https://youtu.be/ruDVLRCx03Y?feature=shared>" %}

## Google Search

{% content-ref url="/pages/fVeFtPSAWQuWG0C5room" %}
[Cloud](/0xss0rz/pentest/recon/cloud.md)
{% endcontent-ref %}

## Misconfiguration

{% embed url="<https://github.com/pwnedlabs/automated-cloud-misconfiguration-testing>" %}

## CLI Recon

### Projects

IDs of projects available in account

```
gcloud projects list --format="table(projectId)"
```

### Buckets

List the identifier of each storage bucket created for the project

```
gsutil ls -p <project_id>
```

IAM members associated with the bucket - "`allUsers` or "`allAuthenticatedUser`s", the bucket is publicly available

```
gsutil iam get gs://<bucket_id>/ --format=json | jq '.bindings[].members[]'
```

### BigQuery

List the identifier of each BigQuery Dataset created for the project

```
bq ls --project_id <project_id> --format=pretty
```

If one or more rules are "`allUsers` or `"allAuthenticatedUsers`", the dataset is publicly available

```
bq show --format=pretty <project_id>:<project_dataset>
```

### VM Instances

List all the VM available for the project

```
gcloud compute images list --project <project_id> --no-standard-images --format="table(name)"
```

IAM members associated with the VM - "`allAuthenticatedUsers`", the VM is publicly shared with all others GCP accounts

```
gcloud compute images get-iam-policy <VM_ID> --format=json
```

Creat new image

```
gcloud compute images create <VM_name> --source-image=<image_name> --source-image-project=<project_id>
```

View image

```
gcloud compute images list
```

### KMS

List the IDs of all the KMS key rings available in account

```
gcloud kms keyrings list --location=global
```

List the resource ID of each KMS key created for the key ring

```
gcloud kms key list --keyring=<key_ring_ID> --location=global --format="table(name)
```

"`allUsers` or "`allAuthenticatedUsers`", the KMS key is publicly available

```
gcloud kms keys get-iam-policy <resource_ID> --keyring=<key_ring_ID> --location=global --format=json | jq '.bindings[].members[]'
```

### SQL DB

Name of each SQL DB for the project

```
gcloud sql instances list --project <project_id> --format="(NAME)"
```

IAM members associated - `0.0.0.0/0` : DB is publicly accessible

```
gcloud sql instances describe <db_name> --format=json | jq '.settings.ipConfiguration.authorizedNetworks[].value'
```

## Resources

{% embed url="<https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security>" %}

{% embed url="<https://hackingthe.cloud/gcp/general-knowledge/default-account-names/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/cloud/gcp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.