coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #87 from adi928/master

Browse Source 
Adding CVE-2019-5736 as a another docker breakout technique
This commit is contained in:
Carlos Polop 2021-03-25 01:57:24 +01:00 committed by GitHub
commit b2a69a78ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
linux-unix/privilege-escalation/docker-breakout.md
View File

@ -1,5 +1,20 @@
# Docker Breakout # Docker Breakout
## Runc exploit (CVE-2019-5736)
In case you have the `docker exec` permission within the container as root, you can escape the container by getting the go implementation of CVE-2019-5736 from [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go).
Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.
Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine:
`docker exec -it <container-name> /bin/sh`
This will trigger the payload which is present in the main.go file.
For more information:
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
## Mounted docker socket ## Mounted docker socket
If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it. If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.