/ws/monitor /ws/terminal /ws/customer

Default Docker, one upload from host root.

Trigger payloads from dokuru-lab-baseline, then watch the neighbor service and container evidence update live.

open exploit demo

The setup

Three Docker containers, one shared kernel

01

Attacker

dokuru-lab-baseline

A vulnerable default-root web app with bind mounts. Upload and command-injection bugs become host-root evidence when userns-remap is off.

02

Neighbor

victim-checkout

A customer-facing API that should stay responsive while the baseline app tries to consume unconstrained CPU, memory, and PIDs.

03

Signal

customer-traffic

An out-of-band probe that hits checkout on a loop. Its latency feed is the visible blast-radius signal for the cgroup demo.

signal measures blast radius after every payload

Demo route

01

Monitor

Host and container resource baseline.

02

Namespace

UID map, PID view, and namespace links.

03

Exploit

Command injection and app-data impact.

04

Cgroup

PID, memory, and CPU pressure last.

05

Evidence

Report-ready before/after proof.

Dokuru Namespace & Cgroup Lab
Run only on a disposable lab host. Endpoints intentionally expose shell execution and resource pressure.