New Series

Containment Failure

Five containers that aren't as contained as they look. Linux capabilities, environment leaks, writable bind mounts, exposed Docker sockets, and a cgroups v1 escape — the container security checklist as a lab.

Linux Capabilities Env Var Leak Bind Mount Abuse Docker Socket Escape cgroups v1 Escape

5 Machines

Free No Paywall

Container Focus

0/5 Online Now

The Machines

Five containers. Five escape vectors. Zero actual containment.

Machine 01 Offline

Container Caps

Linux Capabilities

python3 has cap_dac_read_search. That capability bypasses discretionary access control checks. Read /root/root.txt directly — no sudo, no SUID needed.

Flask /debug/env returns os.environ including SSH_PASS. SYS_PTRACE is present too — root flag lives in /proc/1/environ if you want the bonus path.

A simulated bind mount leaves /hostpath/etc/cron.d/ world-writable from inside the container. Drop a cron entry, wait for the host cron daemon to execute it.

User is in the docker group and /var/run/docker.sock is mounted. Run a new container with -v /:/mnt and you have unrestricted access to the host filesystem.

☠ Series Finale

SYS_ADMIN capability plus cgroups v1 notify_on_release. Classic Felix Wilhelm escape: write a payload to release_agent, trigger it, get command execution as root on the host.

🐀🐀🐀🐀 Hard

Attack Chain

Recommended order of attack.

Start Here

Machine 01

Container Caps

Capabilities

→

Machine 02

Container Env

Env Leak

→

Machine 03

Container Mount

Bind Mount

→

Machine 04

Container Socket

Docker Socket

→

Machine 05

Container Escape

cgroups v1

Ready to break out?

Five containers. Five escape techniques. Everything a cloud security engineer needs to practice in one series.

Create Free Account Browse All Challenges →

Launching 25 July 2026 — container security series covering escape techniques from capabilities to cgroups.