Container breakouts : Abusing DAC_READ_SEARCH capability
If a container has DAC_READ_SEARCH capability provided, it can bypass file read permission checks and directory read and execute permission checks. Using a mounted file in a container, it's possible to get access on files in the host system.
In the following video, an attacker leverages DAC_READ_SEARCH capability provided in the container to retrieve the files stored on the host system. Using SSH service and the content of /etc/passwd and /etc/shadow files, he succeeds in becoming root on the host.