Overview
Unix sockets are inter-process communication endpoints. If a socket is writable or a privileged service listens on one, you can communicate with it to escalate privileges.Enumerate Unix Sockets
Find Writable Sockets
Check Socket Permissions
Docker Socket
Most common socket privesc. See Docker / LXD Escape.Quick Check
Writable .socket Files (systemd)
Inject ExecStartPre
Create Missing Service
If.socket exists but corresponding .service is missing:
HTTP Sockets
Some services expose HTTP APIs over Unix sockets.Connect
Socat
Netcat
MySQL Socket
Containerd Socket
Socket Command Injection
If a service reads input from a socket and passes it to a shell:Socket Permissions
| Permission | Risk |
|---|---|
| World-writable socket | Anyone can connect |
| Group-readable/writable | Group members can connect |
| Root-owned, no auth | Relies only on filesystem perms |
Quick Reference
| Socket | Privesc |
|---|---|
/var/run/docker.sock | Mount host filesystem → root |
/run/containerd/containerd.sock | Run privileged container |
Writable .socket file | Inject ExecStartPre |
| MySQL socket (no password) | DB access, potential UDF RCE |
| HTTP API socket | Depends on exposed endpoints |