coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2021-03-25 01:02:49 +00:00 committed by gitbook-bot
parent b2a69a78ee
commit 6ee2e4702e
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 13 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
linux-unix/privilege-escalation/docker-breakout.md
View File

@ -1,20 +1,5 @@
# Docker Breakout # Docker Breakout
## Runc exploit (CVE-2019-5736)
In case you have the `docker exec` permission within the container as root, you can escape the container by getting the go implementation of CVE-2019-5736 from [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go).
Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.
Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine:
`docker exec -it <container-name> /bin/sh`
This will trigger the payload which is present in the main.go file.
For more information:
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
## Mounted docker socket ## Mounted docker socket
If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it. If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.
@ -398,6 +383,19 @@ root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]
... ...
``` ```
## Runc exploit \(CVE-2019-5736\)
In case you can execute `docker exec` as root \(probably with sudo\), you try to escalate privileges escaping from a container abusing CVE-2019-5736 \(exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)\). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload.
Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.
Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine:
`docker exec -it <container-name> /bin/sh`
This will trigger the payload which is present in the main.go file.
For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
## Docker API Firewall Bypass ## Docker API Firewall Bypass
In some occasions, the sysadmin may install some plugins to docker to avoid low privilege users to interact with docker without being able to escalate privileges. In some occasions, the sysadmin may install some plugins to docker to avoid low privilege users to interact with docker without being able to escalate privileges.