Check Group Membership
docker or lxd group → root escalation possible.
Docker Privesc
Mount Host Filesystem
Alternative Images
If No Internet (Use Local Image)
Read Sensitive Files
Add SSH Key to Root
Create SUID bash
Docker Socket Abuse
If/var/run/docker.sock is accessible:
Via curl
Docker Escape (From Inside Container)
Check if Inside Container
Privileged Container Escape
LXD Privesc
Step 1 — Build Alpine Image (Attacker)
Step 2 — Transfer to Target
Step 3 — Import and Create Container
Step 4 — Access Host Filesystem
Create SUID bash
Quick Reference
| Scenario | Command |
|---|---|
| Docker group | docker run -v /:/mnt --rm -it alpine chroot /mnt bash |
| Docker socket | Abuse via curl or docker CLI |
| Privileged container | mount /dev/sda1 /mnt && chroot /mnt |
| LXD group | Import image → mount host → root |