> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/container-breakout/trick-0031.md).

# Container Breakout Via Shared Volume SUID Binary

***

Leverage root privileges inside a container that shares a volume with the host to set the SUID bit on a host binary placed in the shared volume.

A common scenario involves running a container with a host directory mounted as a volume. For example, mounting the host's root filesystem (`/`) to `/mnt` inside the container provides extensive access:

```bash
docker run -v /:/mnt --rm -it ubuntu bash
```

This command runs an Ubuntu container, mounts the host's root directory to `/mnt` inside the container, and gives you an interactive bash shell within the container.

With this setup, you can leverage the container's root privileges to manipulate files on the host through the mounted volume.

First, as your low-privileged user on the host, copy a binary like `bash` into the shared volume path, typically a temporary directory like `/tmp`.

```bash
cp /bin/bash /tmp/bash
```

Next, from *inside* the container as root, modify the permissions and ownership of the copied binary within the shared volume's path (which is `/mnt/tmp/bash` in the container).

```bash
chown root:root /mnt/tmp/bash
chmod u+s /mnt/tmp/bash
```

This changes the owner to root and sets the SUID bit (`u+s`) on the copied binary located at the host's filesystem (`/tmp/bash`).

Finally, return to the host as your low-privileged user and execute the modified binary from the shared volume path (the host's `/tmp` directory). The SUID bit will grant you a root shell.

```bash
/tmp/bash -p
```
