Hey everyone,

I’ve been testing a target that runs inside one of Google’s sandboxed environments, and I’ve managed to achieve arbitrary command execution within the sandbox.

So far I’ve confirmed:

• Command execution works reliably
• Can read local files and environment variables
• Running with high privileges inside the sandbox

After enumeration:

• Filesystem appears containerized (overlay)
• No clear access to host filesystem
• No cross-user or external data exposure so far
• Standard mounts (/proc, /sys, etc.), nothing obviously misconfigured

Looking for advice on:

• Common techniques to pivot from sandboxed execution → escape
• What areas to focus on next:
  • filesystem quirks / mounts
  • process isolation
  • shared resources
  • sandbox-specific weaknesses

Not trying to brute force --> just looking to approach this more intelligently.

Would appreciate insights from anyone experienced with sandbox escapes or similar environments.

Thanks