forked from Ne0nd0g/merlin
-
Notifications
You must be signed in to change notification settings - Fork 115
DockerSock Breakout
yanivyakobovich edited this page Jan 17, 2022
·
1 revision
Abusing docker.sock to create a container that has the root file system mounted in it. With a reverse shell gaining access to the root file system from in the container
info:
Docker.sock is the Unix socket the Docker daemon listens on by default, and it can be used to communicate with the daemon from within a container. and by that can start or stop other containers.
Requirements:
- Mounted docker.sock in the container as rw with permissions to read and write to the running user
- Running as root in the container, also in the host. By default docker container runs with the same user NS, if the container is running in a different user NS then the root must be mapped to root. Another option is to run with a user which is part of the docker group.
Exploit:
- Create http.client with the UNIX socket (docker.sock)
- send a message to the docker daemon through the UNIX socket to create a reverse shell container with access to the root file system
Wish to contribute module?
Exploit Module Guide
- cGroup Breakout
- Mount Breakout
- DockerSock Breakout
- Kubelet Attack
- Var Log Escape
- Kernel Module Breakout
Other Modules