Background

In many companies, employees are often provided with limited user privileges. These accounts often lack sudo or root privileges, preventing direct access to install packages or make system-wide changes. But what if you could break through these restrictions with a Docker container?

In this article, I’ll show you how I obtained root access to the host from within a container.

About Docker

Docker makes extensive use of cgroups and namespaces to provide containerization. These are core Linux kernel features that enable Docker to isolate and manage resources for containers effectively. Even with root inside a container, you can't affect the host system unless you explicitly allow it. Docker containers are isolated environments that share the host kernel but are otherwise sandboxed.

By running containers in --privileged mode and mounting the host filesystem, we effectively give the container god-mode access to the host. This is what we exploit in this method.

Disclaimer:

• This method is dangerous as it breaks the isolation model of Docker.
• One wrong move and you can corrupt your host system.

This method is tested on Ubuntu 24.04.2 LTS with Docker installed on it.

Steps

1. Run a Docker Container

• First, run a privileged Ubuntu container with the host root directory mounted on it.

docker run -it --rm --privileged -v /:/mnt/host ubuntu:latest

• Once inside the container, you can check the contents of the host root directory.

ls /mnt/host

2. chroot into the host system

• The chroot command changes the apparent root directory for the current process and its children.
• The directory /mnt/host becomes the new root for the processes. Thus, host files and directories can be accessed with an isolated bash shell.

chroot /mnt/host /bin/bash

Now, we’re in the host environment and can install packages or make other modifications as if we were logged in directly.

• If it fails, check for missing binaries or libraries using strace.

strace -f chroot /mnt/host /bin/bash

3. Install packages

• For this demo, let’s install python3.

4. Test it from your end

• We can see a running Ubuntu container using docker ps command in the new terminal.
• On testing, python3 has been successfully installed on our system.

5. Fixing DNS Issues

If you face any DNS issues inside the container, you can resolve this by manually setting the DNS.

echo "nameserver 8.8.8.8" > /etc/resolv.conf

How to prevent it?

When an employee gains unauthorized root access to a company's end device, the impacts can be severe, affecting security, operations and compliance.

The following ways can be considered for prevention :

• Use Rootless mode
  This is the safest way to run containers without risking the host system’s security as both Docker daemon and containers runs in rootless mode.
• Leverage SELinux/AppArmor
  Mandatory Access Control via SELinux or AppArmor prevents containers from accessing host paths, even if privileged.
• This issue is explicitly being monitored by Docker. So, have a look on Docker’s official docs too.

Final Thoughts

This method granted me the freedom to act as root on a machine where I didn’t have direct access. However, never test this on critical systems.

Happy hacking!