hostPath Volume Mount
Mount the host filesystem into a pod (read-write or even read-only of /etc/shadow) — exfil host secrets and pivot.
§ Where this technique fits
K-HOSTPATH-MOUNT is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 5 approved dossiers in the registry, typically at step 4.6 on average.
§ Dossiers chaining this technique
- step 4 / 5
docker group membership → host root via container escape
User is in the docker group. `docker run -v /:/host --privileged alpine chroot /host` gives them root on the host without sudo.
- step 4 / 7
Privileged pod escape → cluster admin
GenericWrite on a Deployment in the kube-system namespace lets you launch a privileged pod; the pod mounts the host filesystem and steals the kubeconfig of cluster-admin.
- step 4 / 6
Docker socket exposed in pod → host root
A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.
- step 5 / 5
CVE-2024-21626 (Leaky Vessels) → container escape
Outdated runc lets a malicious image escape during 'docker build' or 'docker run' via a leaked file descriptor pointing at the host filesystem.
- step 6 / 6
ArgoCD weak RBAC → cluster admin via custom Application
ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.
§ What commonly comes next
- 01SSH authorized_keys Backdoorseen 1×L-SSH-AUTHKEYS · Persistence
- 02ServiceAccount Token Theftseen 1×K-SA-TOKEN · Discovery
- 03Unsecured Credentialsseen 1×T1552 · Credential Access