During a red-team assessment of a public cloud environment, you obtain a shell inside a Docker container that is part of a Kubernetes deployment. You observe that /var/run/docker.sock is mounted read-write inside the container. From the perspective of container escape, which action would most effectively allow you to gain root access on the underlying host?
Overwrite the container's /etc/resolv.conf so all DNS queries resolve to an attacker-controlled server on the same VPC subnet.
Use the docker.sock to issue API calls that start a new privileged container with the host filesystem mounted, then chroot into it.
Read /proc/kallsyms to leak kernel addresses and attempt a local privilege escalation against the node kernel.
Insert custom iptables rules inside the container to perform ARP spoofing against other pods on the overlay network.
The Docker UNIX socket exposes the remote API of the host's Docker daemon. If it is reachable from inside the container, an attacker can send API calls to start a new container with elevated privileges, such as --privileged, --net=host, and a volume mount like -v /:/host. That container runs directly under the host daemon, giving the attacker root-level access to the host filesystem and namespaces. Editing /etc/resolv.conf or /etc/iptables only affects the current container's view of the network stack. Reading /proc/kallsyms may aid kernel exploitation, but it does not by itself provide a reliable breakout path. Therefore, interacting with the docker.sock to launch a privileged container is the most direct and effective method to compromise the underlying node.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Docker UNIX socket, and why is it critical in container security?
Open an interactive chat with Bash
What does it mean to start a privileged container with host filesystem mounted?
Open an interactive chat with Bash
How does chroot contribute to escaping a container and gaining host access?
Open an interactive chat with Bash
What is docker.sock and why is it important for container security?
Open an interactive chat with Bash
What does the term 'chroot' mean when used in container exploitation?
Open an interactive chat with Bash
Why is mounting the host filesystem considered a critical security risk in Kubernetes deployments?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cloud Computing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .