Escaping a Docker container

Escaping a Docker container

Nov 10, 2022

Escaping a docker container can get you access to the whole linux host, so it's a precious technique for a cyber attack.
But it's also valuable for defenders: hacking docker containers to get a breakout is a fun way to better understand a vulnerability and how to better protect from these exploits!

In this hands on video, we look at three real life scenarios where you can actually break out from a docker container:

  • breaking out of a Docker in Docker/Docker out of Docker container (DinD/DooD)
  • breaking out of a container abusing the release_agent from cgroups v1
  • breaking out of a container inside a misconfigured Pod in kubernetes.

And then we briefly discuss why the container escape was possible and how you can defend against it.

There's always a new exploit, or a new #dockerEscape around the corner.
Stay up to date with our latest articles on cloud security on our blog:


0:00 Intro

0:21 Key Concepts

1:43 Hands on escaping: DinD/DooD

6:07 Hands on escaping: cgroups v1 release_agent

11:12 Hands on escaping: Kubernetes pod

15:06 Why did it work: DinD/DooD

16:33 Why did it work: cgroups v1 release_agent

19:33 Why did it work: Kubernetes pod

21:35 Conclusion