{"id":21974556,"url":"https://github.com/francescodisalesgithub/gcloud-terminal-shell-exfiltration","last_synced_at":"2025-07-06T03:06:53.352Z","repository":{"id":193144804,"uuid":"688211870","full_name":"FrancescoDiSalesGithub/gcloud-terminal-shell-exfiltration","owner":"FrancescoDiSalesGithub","description":"script that exfiltrate gcloud terminal app informations ","archived":false,"fork":false,"pushed_at":"2023-09-06T22:39:40.000Z","size":5,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-22T23:41:29.396Z","etag":null,"topics":["cloudshell","data-exfiltration","database","exfiltration","google","google-cloud-shell","hacked","hacking","oauth2","proof-of-concept","sqlite"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FrancescoDiSalesGithub.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-09-06T22:18:00.000Z","updated_at":"2024-04-25T07:07:20.000Z","dependencies_parsed_at":"2023-09-07T00:31:17.954Z","dependency_job_id":"a51d0940-3412-4508-9a25-d465eaece8f0","html_url":"https://github.com/FrancescoDiSalesGithub/gcloud-terminal-shell-exfiltration","commit_stats":null,"previous_names":["francescodisalesgithub/gcloud-terminal-shell-exfiltration"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/FrancescoDiSalesGithub/gcloud-terminal-shell-exfiltration","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FrancescoDiSalesGithub%2Fgcloud-terminal-shell-exfiltration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FrancescoDiSalesGithub%2Fgcloud-terminal-shell-exfiltration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FrancescoDiSalesGithub%2Fgcloud-terminal-shell-exfiltration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FrancescoDiSalesGithub%2Fgcloud-terminal-shell-exfiltration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FrancescoDiSalesGithub","download_url":"https://codeload.github.com/FrancescoDiSalesGithub/gcloud-terminal-shell-exfiltration/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FrancescoDiSalesGithub%2Fgcloud-terminal-shell-exfiltration/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263841615,"owners_count":23518488,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudshell","data-exfiltration","database","exfiltration","google","google-cloud-shell","hacked","hacking","oauth2","proof-of-concept","sqlite"],"created_at":"2024-11-29T15:46:15.859Z","updated_at":"2025-07-06T03:06:53.337Z","avatar_url":"https://github.com/FrancescoDiSalesGithub.png","language":"Shell","readme":"# gcloud-terminal-shell-exfiltration\nScript that exfiltrate gcloud terminal app informations from a local machine to a remote server\n\n# Warning\nThis script is intended as a proof of concept. Don't use it for malicious purpose.\n\n# Concept\nThis script works only on Linux at the moment and its goal it's to exfiltrate gcloud terminal app informations.\n\n# How to use it\n\nEdit the following variables in **exfiltrate.sh**:\n* REMOTE_USER (the remote user of your ssh server)\n* REMOTE_IP  (the ip of your ssh server)\n* REMOTE_PATH  (the remote path where you want to save the exfiltrated data)\n\nAfter that, run the script on a machine where there is google cloud terminal application. At the end you will mainly found some interesting db such as:\n* access_tokens.db\n* credentials.db\n* default_configs.db\n\n# Analysis of google cloud terminal app databases\n\nThe databases are made with sqlite, but they are encrypted to view the content of those db, it is suggested to download **sqlcipher**:\n```\nsudo apt install -y sqlcipher\n```\nAfter installing it, run:\n```\nsqlcipher DB\n```\nWhere DB may be:\n* access_tokens.db\n* credentials.db\n* default_configs.db\n\nThe most interesting db is access_tokens.db in which there are stored the oauth2 access tokens for each profile. The only available table in that db is access_tokens which has the following columns:\n* account_id (gmail account)\n* access_token (access token)\n* token_expiry (token expiration as a date)\n* rapt_token\n* id_token\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrancescodisalesgithub%2Fgcloud-terminal-shell-exfiltration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffrancescodisalesgithub%2Fgcloud-terminal-shell-exfiltration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrancescodisalesgithub%2Fgcloud-terminal-shell-exfiltration/lists"}