CyberCheatsheets

Docker Cheat Sheet

Container runtime CLI for building images, inspecting deployments, and testing container breakout and misconfiguration paths.

Cloud & ContainerscontainerenumerationescapeUpdated 2026-06-02

Overview

Docker packages applications in containers. In security assessments, inspect images, socket exposure (/var/run/docker.sock), privileged containers, and mounted host paths for escape vectors.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

Official convenience script (review before prod)

curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER
docker version

Essential commands

List / inspect

docker ps -a
docker images
docker inspect CONTAINER_ID

Run interactive

docker run -it --rm alpine sh

Logs / exec

docker logs CONTAINER
docker exec -it CONTAINER /bin/bash

Common workflows

If user can access /var/run/docker.sock

docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh

Or mount host root

docker run -v /:/hostfs --privileged -it alpine chroot /hostfs bash

Privileged container escape indicators —

docker inspect CONTAINER | jq '.[0].HostConfig.Privileged'
docker inspect CONTAINER | jq '.[0].Mounts'

Image forensics —

docker history --no-trunc myimage:tag
docker save myimage:tag -o image.tar
tar -xf image.tar && find . -name layer.tar -exec tar -tf {} \; | head

Extract filesystem —

docker export CONTAINER > container-fs.tar
mkdir rootfs && tar -xf container-fs.tar -C rootfs

Build and scan pipeline —

docker build -t app:dev .
trivy image app:dev
docker run --read-only --cap-drop=ALL app:dev

Registry / secrets —

docker login registry.example.com
cat ~/.docker/config.json
docker inspect IMAGE | jq '.[0].Config.Env'

Flags reference

--privileged

Nearly full host capabilities

-v host:container

Bind mount

--cap-add SYS_PTRACE

Extra capabilities

--network host

Host network namespace

--pid host

Host PID namespace

-e VAR=val

Environment variable

--read-only

Read-only rootfs

docker compose

Multi-container stacks

Tips

  • docker.sock = root on host in most setups — prioritize in linpeas output.
  • Check Kubernetes mounts: /var/run/secrets/kubernetes.io/serviceaccount/token.
  • docker context can point to remote TCP API — unauthenticated 2375 is critical.
  • Use nsenter / ctr on containerd hosts without Docker CLI.

References

Related cheat sheets