Docker: Part 2 — Recon & Enumeration
Now that you understand what Docker is and why it’s widely used, it’s time to learn how to detect Docker in an environment and begin enumerating it for privilege escalation opportunities.
This post covers:
- How to detect Docker on a system
- How to tell if you’re inside a container
- How to find misconfigured Docker sockets
- Enumeration techniques to uncover escalation paths
Step 1: Are You Inside a Docker Container?
When you land a shell, you may already be inside a Docker container. Here are ways to confirm it.
Check control groups
cat /proc/1/cgroup
If you see paths referencing /docker/, you’re most likely inside a container.
Check for .dockerenv
ls -la /.dockerenv
This file is often present inside Docker containers unless explicitly removed.
Check the hostname
hostname
If it looks like a hash or random ID, that’s another indicator of a containerized environment.
Step 2: Is Docker Installed on the Host?
To check if Docker is installed:
which docker
docker --version
Also look for the Docker socket:
ls -l /var/run/docker.sock
If this file exists and is writable, Docker is likely running and may be vulnerable to abuse.
Step 3: Are You in the Docker Group?
Check your group memberships:
id
If you see docker in the group list, you can interact with the Docker daemon. This is a direct privilege escalation path because you can start containers with host-level access.
Step 4: Enumerate Docker Resources
If you have Docker access, start by enumerating images and containers.
List available images
docker images
List running containers
docker ps
List all containers (including stopped)
docker ps -a
View logs of a container
docker logs <container_id>
Check volumes
docker volume ls
docker volume inspect <volume_name>
Volumes may contain application data, configuration files, or credentials.
Step 5: Inspect Container Configuration
Use docker inspect to gather details about mounts, environment variables, and privileges.
docker inspect <container_id>
Look for:
- Mounted volumes
- Sensitive environment variables (e.g., API keys, secrets)
"Privileged": trueentries
Step 6: Look for Privileged Containers
If a container is started with the --privileged flag, it has extended access to the host system and devices.
Check using:
docker inspect <container_id> | grep -i privileged
If true, you may be able to escape the container or interact with host-level devices like /dev/mem.
Step 7: Enumeration from Within a Container
If you’re inside a container, continue your recon:
Check identity
id
whoami
List device files
ls /dev
Check capabilities
capsh --print
Look for dangerous ones like cap_sys_admin or cap_net_admin.
Check mounted filesystems
mount
df -h
If you see the host’s root filesystem mounted, or directories like /host, that could be an escape path.
Summary
| What to Check | Purpose |
|---|---|
/proc/1/cgroup, /.dockerenv | Confirm container presence |
/var/run/docker.sock | Docker control access |
Group membership for docker | Privilege escalation vector |
docker inspect output | Mounts, secrets, privileged flags |
capsh, mount, ls /dev | Breakout and privilege abuse opportunities |
Coming Up Next
In Part 3, we’ll weaponize this knowledge. You’ll learn how to:
- Exploit Docker group membership
- Abuse the Docker socket
- Launch containers that mount the host filesystem
- Escape containers using
chroot - Run privileged containers for full host access