We covered two methods to escape docker containers including the method of mounting the full host file system or by using the name space of the system process. This was part of The Docker Rodeo room.
Checking Docker User Privileges
A crucial early step involves running id to verify if the compromised user is a member of the docker group. This group membership grants the ability to run Docker commands—a requirement for escaping the container to the host system. Without this privilege, options become severely limited.
Docker Socket Verification
Searching for the Docker socket (/var/run/docker.sock) is another key tactic. If this file exists, it means the container can potentially communicate with the Docker daemon, a significant security hole if misconfigured.
Remote Docker Communication via Port 2375
The open port 2375 is a red flag, it allows unencrypted, unauthenticated access to Docker. Scanning and discovering this port means you can run Docker commands remotely, a pathway for further enumeration or exploitation.
Enumerating Running Containers
Using Docker commands from within the container (docker ps), the video walks through identifying other containers on the host. Each container has a function—some run SSH on non-standard ports (e.g., 2244, 2255), while others manage Docker registries, evident from their names and running ports (e.g., 5000, 7000).
Analyzing Docker Images
The command docker images reveals stored Docker images, which is necessary for the next escape tactic. The presence of images like alpine is essential for creating a new container to mount the host filesystem.
Filesystem Mounting Technique
With group access and available images, the user runs:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
This mounts the root filesystem (/) of the host to the container’s /mnt directory. By changing root to this directory, the user effectively gains shell access to the host system, bypassing the container boundary.
Namespace Escape Technique Using nsenter
A more advanced method is discussed using Linux namespaces. Each container and process runs in isolated namespaces. By targeting the namespace of the PID 1 process (usually the system’s init or systemd), a user with root access can escape the container. The command involves:
nsenter --target 1 --mount sh
This enters the mount namespace of PID 1, providing the user with full host filesystem access and privilege.
Root Access as a Prerequisite
It’s reiterated that the nsenter method only works if the user inside the container has root privileges. If not, the attempt fails, underscoring the importance of verifying access level before trying this exploit.
The Docker Rodeo TryHackme Room Answers
Does Docker run on a Hypervisor? (Yay/Nay)
Nay
What is the port number of the 2nd Docker registry?
7000
What is the name of the repository within this registry?
securesolutions/webserver
What is the name of the tag that has been published?
production
What is the Username in the database configuration?
admin
What is the Password in the database configuration?
production_admin
What is the “IMAGE_ID” for the “challenge” Docker image that you just downloaded?
2a0a63ea5d88
Using Dive, how many “Layers” are there in this image?
7
What user is successfully added?
uogctf
Contents of “flag.txt” from the host operating system
thm{you_escaped_the_chains}
