Bypassing read only filesystem(ro) restriction containers - inmemory execution

Hi reader! I am sure you might have encountered a container while pentesting with read only filesystem and felt stuck as you can’t transfer files/run your custom programs…

Today we will be looking into what we can try if ever got into such container.

Prerequisites(copied from https://github.com/arget13/DDexec)-

  1. These programs should be available in container image-

2. personality() syscall must be allowed, which is blocked in default docker seccomp profile. Therefore we will not use any seccomp profile() --security-opt seccomp=unconfined

Let’s see the inmemory execution now-

a) Run a test container

We will be using latest ubuntu image with tag: latest from dockerhub

b) For example i want to run curl inside container which is not available and we verify we don’t have permission to write any file in container fs.

c) Downloading curl static binary and converting it to b64 string-

c) Creating a function/method name ddexec (This step can be skipped if curl is present)-

d) Running the base64 encoded binary using ddexec-

Our Dns resolver is not configured that’s why curl was unable to resolve evil.com :)

If curl is already there in the container then we can host the base64 encoded binary file and just run the below command-

Here we are listing RBAC permissions inmemory w/o touching disk.

Also we can skip creating dexec() method -

References:

https://github.com/arget13/DDexec

https://www.youtube.com/watch?v=MaBurwnrI4s

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store