[Cas]

Hewo,, this post is just based on info already pub, nothings new/(0days),
just dockery stuff, ill teach you how to escape docker based on how its running.


First --privileged flag
when running the container with dis flag it gives

- Full Access to Devices (On the host os)
- More Kernel Namespaces (container gets more control over kernel namespaces including the ability to create and manipulate namespaces that are usually managed by the host)
- Extended Capabilities (Our 3rd escape vector) ( With --privileged all Linux capabilities are granted to the container which allows it to perform operations like mounting filesystems changing kernel parameters etc)
so to escape this easily just mount the host filesystem into the container like this
1st cat the cmdline to get the UUID to identify which partition does it belong to - before that obtain root user on the docker.

cat /proc/cmdline

then copy the UUID given by the cmdline and use findfs to locate in which partition is that filesystem

findfs UUID

after locating it, just mount it like this

mkdir /hackedfs; mount /dev/sda1 /hackedfs

now simple run ls on the /hackedfs inside the container and you should find the fs from the host os.

gonna continue later.