![Docker unix domain socket](https://kumkoniak.com/64.jpg)
In this container, Nmap is not installed but you can find the netcat command and use it to perform a port scanĪfter checking the current network status, we can see that the docker has already acquired port 22 for SSH connection and the host machine is connected to it via 192.110.119.2. The IP of the host machine is always 172.17.0.1. After enumerating you will find that two ports are open on the host machine. There is a hack to mount the proc ( mount -t proc proc /proc) but this will mount the proc of container Chrooting and proc file systemĪs per the description the flag is stored in the running process of the host's /proc file system. The chroot trick works but the /proc file system didn't get mounted. Let's use the knowledge gained from the previous lab and try to break out of this container. Later you can perform chroot in /mnt Mount the partition and chroot to break out So if I were to mount /dev/sda to /mnt, the command of this will be mount /dev/sda /mnt. To mount the device you need to pass the device name followed by the mount path. You can now mount it to /mnt and break out the container Listing partition table In this lab, the container has cap_sys_admin capability which means you can mount the partitions Checking capabilitiesĪfter checking the output of the fdisk -l command you will realize that the /dev/sda partition exists. You will see it in action in this lab.Ī privileged container can have almost all the capabilities in the Linux kernel and it runs on the host OS layer instead of docker runtime. As you have realized in the previous post how privileged container is a big threat. In this lab, the docker container is running in privileged mode. So any path you select here on the left side of the colon ( :) will be the path on the host machine Starting new docker containerĪfter the container is executed, you can then chroot to the /host directory and perform the find command to look for the flag. This will parse the arguments and send them to the Docker runtime.
![docker unix domain socket docker unix domain socket](https://img2020.cnblogs.com/blog/665372/202011/665372-20201120174320023-1326962897.png)
To break out, you need to start a new docker container by mounting / of the host to /host in the container. This is verified by listing images in the docker local repository Checking docker connectivity Since this socket has reference to the host machines, you can directly talk to the docker runtime layer via this. Luckily, the Docker CLI is installed and by default, it uses the socket to interact with the runtime. A docker socket is mounted to /var/run/docker.sock and being a root user in the container I can perform read/write operations on it Found mounted docker socket This is a serious issue, as if an attack will land into the compromised container, they can use docker command or docker libraries that interact with docker via Unix Domain Socket to break out of the container environment.
![docker unix domain socket docker unix domain socket](https://miro.medium.com/max/1436/1*2CpFdYu4VncgILt208D-vw.gif)
Sometimes to make things easy, sysadmins and developers leave docker socket mounted in the container to debug the application like reading its logs from inside the container. I would also recommend you to first go through them as well –
![docker unix domain socket docker unix domain socket](https://wizardzines.com/comics/unix-domain-sockets/unix-domain-sockets-preview.png)
Also, this includes the topics I have already discussed in the previous post.
![docker unix domain socket docker unix domain socket](https://sematext.com/wp-content/uploads/2015/06/spm-for-docker.png)
But don't worry, I have already published a blog on that – Understanding Container Architecture. If you don't know the basics of Docker, sadly you won't understand this or the next posts on the same topic. In this post, I will be discussing the following labs from the attackdefense Although I am using docker because it became popular, these techniques apply to all the container managers Also, the processes spawned by the containers are child processes of the OCI service docker is using. Since you have seen it creates containers that are isolated on the application level, which means two containers don't know each other but the docker itself runs on the host system as an additional utility. So far you have learnt about what Docker is and how it works.
![Docker unix domain socket](https://kumkoniak.com/64.jpg)