Root escalation (Popping shell) on a host running Docker as root.

Why

Most people know running Docker as root is not a great idea but here is an explanation of why.

What

Lets say you have a host that is running Docker as root. Containers are launched for CI jobs or say a service like Traefik proxy which needs to know what other containers are available to route traffic.

How

In either of the cases above we can now launch other containers on the underlying host's Docker server, we can also mount any file system on the underlying host for instance /bin/bash which would now have us in a shell on the underlying host.

That's it we have now escalated root privilege (popped shell) and now have unfettered access to the underlying host.