Is this host vulnerable to privilege escalation through an unprotected Docker daemon?
Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail. This TTP mounts the hosts root directory inside the container's /mnt directory and runs schism as root on the host machine.
To view this TTPs command, you must be logged in with a professional or enterprise license.Login
Test this TTP
Download Operator (1.7.1)