Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/francescodisalesgithub/gcloud-terminal-shell-exfiltration

script that exfiltrate gcloud terminal app informations
https://github.com/francescodisalesgithub/gcloud-terminal-shell-exfiltration

cloudshell data-exfiltration database exfiltration google google-cloud-shell hacked hacking oauth2 proof-of-concept sqlite

Last synced: about 1 month ago
JSON representation

script that exfiltrate gcloud terminal app informations

Host: GitHub
URL: https://github.com/francescodisalesgithub/gcloud-terminal-shell-exfiltration
Owner: FrancescoDiSalesGithub
License: mit
Created: 2023-09-06T22:18:00.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-09-06T22:39:40.000Z (over 1 year ago)
Last Synced: 2023-09-07T00:31:14.561Z (over 1 year ago)
Topics: cloudshell, data-exfiltration, database, exfiltration, google, google-cloud-shell, hacked, hacking, oauth2, proof-of-concept, sqlite
Language: Shell
Homepage:
Size: 4.88 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# gcloud-terminal-shell-exfiltration
Script that exfiltrate gcloud terminal app informations from a local machine to a remote server

# Warning
This script is intended as a proof of concept. Don't use it for malicious purpose.

# Concept
This script works only on Linux at the moment and its goal it's to exfiltrate gcloud terminal app informations.

# How to use it

Edit the following variables in **exfiltrate.sh**:
* REMOTE_USER (the remote user of your ssh server)
* REMOTE_IP (the ip of your ssh server)
* REMOTE_PATH (the remote path where you want to save the exfiltrated data)

After that, run the script on a machine where there is google cloud terminal application. At the end you will mainly found some interesting db such as:
* access_tokens.db
* credentials.db
* default_configs.db

# Analysis of google cloud terminal app databases

The databases are made with sqlite, but they are encrypted to view the content of those db, it is suggested to download **sqlcipher**:
```
sudo apt install -y sqlcipher
```
After installing it, run:
```
sqlcipher DB
```
Where DB may be:
* access_tokens.db
* credentials.db
* default_configs.db

The most interesting db is access_tokens.db in which there are stored the oauth2 access tokens for each profile. The only available table in that db is access_tokens which has the following columns:
* account_id (gmail account)
* access_token (access token)
* token_expiry (token expiration as a date)
* rapt_token
* id_token