> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/container-breakout/trick-0581.md).

# PrivEsc via Docker Group Membership

***

Being a member of the `docker` group grants effective root privileges on the host system. This is because users in the `docker` group can run containers and mount the host's filesystem into them. A common technique involves mounting the root filesystem (`/`) of the host into a container, allowing root-level interaction with the host's files.

Use a minimal container like `alpine`, mount the host root to `/mnt`, and then `chroot` into it:

```bash
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```

This command runs an `alpine` container, mounts the host's root (`/`) to the container's `/mnt`, allocates a TTY (`-it`), removes the container upon exit (`--rm`), changes the root inside the container to the mounted host directory (`chroot /mnt`), and executes a shell (`sh`).

Alternatively, an `ubuntu` container can be used:

```bash
docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
```

This command mounts the host's root filesystem into the container's `/mnt` directory and then executes a shell within a chroot environment on the host filesystem. This effectively gives you a root shell on the host machine, allowing you to access files on the host machine as root, such as `/etc/shadow` or `/root/proof.txt`.
