search

Docker

docker run -v /:/mnt --rm -it bash chroot /mnt sh

hashtag
VM vs. Container

A virtual machine (VM) runs on a hypervisor (a kind of emulator that creates and runs VM). There are two types of hypervisors:

  • Physical layer such as a server: Type-1, native or bare-metal hypervisors, such as: VMware ESXi, Microsoft Hyper-V and Xen.

  • Conventional OS: Type-2 or hosted hypervisors, such as VMware Workstation or Oracle Virtualbox.

Each VM contains an application and an independent OS, and each docker container contains only an application. All docker containers share the same OS. This feature makes containers much more resource-efficient than VMs. Docker containers are typically smaller than 100 MB, where VMs are often larger than 10 GB.

hashtag
Docker Group

From GTFOBins:

GTFOBins docker escape

If we are in the docker group, we can try to spawn a root shell using the following payload:

hashtag
RunC Exploit (CVE-2019-5736)

From HackTricks:

Runc exploit - HackTricks

If sudo -l shows that we are able to run docker exec as root, then we can try to escape the docker container using CVE-2019-5736. The PoC is on Github:

LogoGitHub - Frichetten/CVE-2019-5736-PoC: PoC for CVE-2019-5736GitHubchevron-right
CVE-2019-5736 PoC

To learn more about the theory behind this PoC, read Dragon Sector's blog:

LogoCVE-2019-5736: Escape from Docker and Kubernetes containers to root on hostblog.dragonsector.plchevron-right
CVE-2019-5736 - Dragon Sector

hashtag
Challenge: TryHackMe - UltraTech

https://www.ctfwriteup.com/tryhackme/tcm-linux-privesc-course/ultratech-mediumwww.ctfwriteup.comchevron-right
TryHackMe - UltraTech
PreviousNFS Root SquashingNextGNU C Library

Last updated