10

I've been studying Docker security and examining ways of escaping from container to host.

Suppose Docker sock (docker.sock) is mounted into the container at /var/run/docker.sock, so that Docker client (docker) can send commands to Docker daemon (dockerd).

To execute commands on the host, I could run another container and mount /etc/ into it (read-write) to schedule CRON jobs; is it possible to mount /etc/ into the current container?

What other methods are there for executing commands on the host through docker.sock?

Shuzheng
  • 1,097
  • 4
  • 22
  • 37

1 Answers1

14

The best way that I've found to execute commands on the underlying host with an exposed Docker socket is Ian Miell's most pointless docker command ever

The command looks like this :-

docker run -ti 
    --privileged 
    --net=host --pid=host --ipc=host 
    --volume /:/host 
    busybox 
    chroot /host

and will essentially drop you straight into a full root shell on the underlying host.

To break the command down

--privileged will remove the default Docker security layers like Apparmor and capability restrictions.

--net=host --pid=host --ipc=host runs the process in the host's namespaces instead of a separate set of namespaces for the contained process.

--volume /:/host mounts the host root filesystems as /host inside the container

then

chroot /host as a command changes the root to that /host directory.

If you're running via Kubernetes, you can use The most pointless Kubernetes command which effectively does the same thing (assuming the cluster doesn't have a restrictive Pod Security Policy in place).

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Thank you, would it work if any of `--net`, `--pid`, and `--ipc` was removed? I've seen you on YouTube. Could you recommend a good resource for learning Docker from a pentester's perspective, i.e methods of breaking out of containers or exploiting them? – Shuzheng Sep 21 '19 at 07:18
  • I'd love to learn other methods of breaking out of containers, besides Docker sock. – Shuzheng Sep 21 '19 at 07:19
  • Also, your use of `--net` is not documented in the options of `docker container run`. I guess you mean `--network`? – Shuzheng Sep 21 '19 at 09:12
  • So if you don't use the host namespaces, then when you run the command, you'll getl the isolated ones of the container, but you'd still have access to the underlying host filesystem (due to the volume mount), so depending on what you want to do it still works fine (For example you'd still have root access to `/etc/shadow`. The `--net` option may not be listed any more but it works fine as an abbreviation for `--network` . As to learning container hacking TBH best thing to do is learn about Linux and the kernel and how things like capabilities and namespaces work. – Rory McCune Sep 21 '19 at 15:35
  • Thanks Rory, so I guess there aren't other easy-to-check-and-exploit things like access to docker.sock? – Shuzheng Sep 22 '19 at 11:27
  • do you know why Docker doesn't have any options for entering the mount and cgroup namespaces of the host, like `--mnt=host` and `--cgroup=host`? – Shuzheng Jul 08 '20 at 16:15
  • Furthermore, your command doesn't escape to the underlying LinuxKit VM, when running "Docker Desktop" (Mac). – Shuzheng Jul 08 '20 at 16:26
  • Why don't you use `--userns`? – Shuzheng Jul 08 '20 at 16:27