Docker

docker run -v /:/mnt --rm -it bash chroot /mnt sh

VM vs. Container

A virtual machine (VM) runs on a hypervisor (a kind of emulator that creates and runs VM). There are two types of hypervisors:

• Physical layer such as a server: Type-1, native or bare-metal hypervisors, such as: VMware ESXi, Microsoft Hyper-V and Xen.

• Conventional OS: Type-2 or hosted hypervisors, such as VMware Workstation or Oracle Virtualbox.

Each VM contains an application and an independent OS, and each docker container contains only an application. All docker containers share the same OS. This feature makes containers much more resource-efficient than VMs. Docker containers are typically smaller than 100 MB, where VMs are often larger than 10 GB.

Docker Group

From GTFOBins:

GTFOBins docker escape

If we are in the docker group, we can try to spawn a root shell using the following payload:

docker run -v /:/mnt --rm -it bash chroot /mnt sh

RunC Exploit (CVE-2019-5736)

From HackTricks:

Runc exploit - HackTricks

If sudo -l shows that we are able to run docker exec as root, then we can try to escape the docker container using CVE-2019-5736. The PoC is on Github:

GitHub - Frichetten/CVE-2019-5736-PoC: PoC for CVE-2019-5736GitHub

CVE-2019-5736 PoC

To learn more about the theory behind this PoC, read Dragon Sector's blog:

CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host

CVE-2019-5736 - Dragon Sector

Challenge: TryHackMe - UltraTech

TryHackMe - UltraTech (Medium)ctfwriteup.com

TryHackMe - UltraTech