Docker - PRIVILEGE ESCALATION Technique

Key Takeaways

hello everybody my name is John Hammond and this is a quick video showcasing a docker privilege escalation technique if you're on a machine that has docker and installed and you as that low privileged user can actually run docker commands so before we get started with anything I want to introduce you guys to today's video sponsor stream coder if you haven't heard a stream coder before it is one super cool node based Python IDE or a Python integrated development environment the fact that it's node based means that it's super easy to visualize your algorithm and your code really what your program and your software is doing stream coder is put together by the guys at pleure II and you can visit them online at their website cleric or comm and they even have an online free version just a demo what stream coder is how it works and why you guys might want to use it you can go check that out at pleura Corp comm slash stream coder if you interact with the online free demo version of stream coder you'll be greeted with this really nice and friendly interface that just allows you to interact with nodes that help define what your program is and what it does you can even title it whatever you'd particularly like but they like to call that each of these node graphs is called a Koi if you double click on any of these nodes it'll bring you to an interface you can add more information or in this case even read about what that note actually is and does and how you can use it inside of your node editor this is an awesome way to actually learn about what this tool can do and what it's all designed for the whole thing is about being able to create code that you can reuse send to others and it's just standalone and encapsulated even as a beautiful image and picture that can be shared and work with well behind the scenes you could still add your own code or anything else you might particularly need to each of these sections has their own video kind of documentation walkthrough which is super duper cool and if you'd like you can always explore drag things into the node editor or the koi and kind of see how you can all piece these together do interesting things with them and even build out and suddenly create your own program in Python so if you guys have any interest in stream coder please go check it out online at flurry Corp comm and I have some discount codes for you so the first 10 people to use the code John Hammond 75 will get 75 percent off and if you don't make them the first 10 people you can use the discount code John Hammond and you'll get 20 percent off of stream coder so you can go make some Python programs in a beautiful node based IDE and editor so thank you guys go check them out Stream coder flurry Corp comm John Hammond 75 you can make it and John Hammond okay now let's get to the video so I'm gonna be testing this and showcasing it on my hosts I'm running as my usual John user so this user does have sudo permissions right now I'm just be showcasing that with a little bit of dichotomy because I want to show you with this other user mark that I just kind of created for testing purposes so what I'm gonna do is I'm just gonna show you that currently the mark user does not have permissions to actually run any route commands but we're gonna end up getting this account without knowing its password root privileges to be able to actually compromise and take control of this potential target and machine so this mark user does not have any permissions in the pseudo errs file but nor does he also have permissions in the doc or group so let me go ahead and actually set that up to typically get dr. installed you could use docker IO when you have a user that you want to be able to actually interact with docker you would add that that user into that group with usermod AG and then the name of the user and the group that they're going to go in so in this case it is Mark and I have that syntax other way around excuse me it should be docker as the group that comes first and Mark is the user that we're adding there we go so now Mark should be able to go ahead and use that I think it's a get end groups get in group there we go so now the docker group has both myself and mark as we've just added in to him so let me go ahead and su in to mark what is his password su mark okay great say we don't know his password you don't know his password it doesn't matter we're not gonna need it for we're gonna end up doing let me just move into his home directory there we go and let's go ahead and make a directory called Prive esque now this user should be able to go ahead and run docker commands fingers crossed okay good in that previous directory I'm gonna use this as the kind of folder or directory that I'll go ahead and put our docker file docker file and now this docker file is gonna give us the baseline to build our docker image where this user will be able to because he can run docker Mountain the whole rest of the filesystem automatically and gain his own permissions as root so I'll show you how to do this what we'll end up doing is pulling down an image that is already a well-known Linux distribution I'm just gonna use Debian wheezy because that's pretty lightweight you could use I guess whatever you particularly want here and then we're gonna go ahead and set a environment variable where we will go ahead and specify where we want to work out of this will be just kind of kind of a directory that will act as the mount point for the whole rest of the real file system that we're gonna end up taking advantage of so you can call us whatever you want opera vests or stuff or testing literally anything you get to make the call pre vests kits just kind of what I'll go ahead and work with and then we will make that directory so we know that it is something that our instance or our docker image can actually work with we're just run that command to make the directory and tak be to create parent directories if for whatever reason we need to in this case we really shouldn't but because this docker file runs as route within the container it should be able to go ahead and make that directory even though it's in like the root of the file system so that's that forward slash / desk so at that point we'll consider that a volume or a location that this container could really use and work through so let me use volume and worker or that environment variable that we just created in a place that we could actually go ahead and work with now we'll go ahead and actually set that as our working directory with another docker file kind of command here to really go ahead and use that that'll just be work der as the name of our directory some of this stuff admittedly just kind of as you're used to with stuff you might pull off of exploit DB or something with search sploit a lot of those so you can just kind of hit the we button and know that this is what works if you don't want to get all behind the scenes and the bells and whistles under the hood this is the syntax to simply spit out a docker file or docker image that will allow you to inside a container mount the whole rest of the filesystem so let me show you how that's done we can go ahead and now docker build this image so docker build attack T we can call it Prive esque that's just gonna end up being the tab or the tag excuse me the tag name for this container for this image that will access within docker and of course it is in the current directory where our docker file is so just add a period in there to go ahead and build this it'll pull down that debian wheezy if we need it go ahead and create everything and now we should be able to once that is fully built go ahead and run this container or start up that instance so I'll show you that syntax now we want ahead and docker run but we'll specify a volume with tak V so we'll mount the root of our filesystem and put it in that filesystem kind of working directory that we defined as a environment variable as a location that we want to use then of course we need the tag or the actual image name that we're working with we called that Prive esque just because when we ran at previously with that image tag or tak T name I get a lot of nonsense in that so previs tacked ypres desc maybe that's a little confusing that I use the working directory name the same as the image name but I hope you can bear with me those are two different strings and that you could choose them to be what you want Prive ask and print that's just for my kind of demonstration purposes really whatever and now we need to actually supply a command you would want to run so in this case we could use bin bash as that would give us a shell and we need to actually specify that that is interactive excuse me with I T so I for an octave T for actually working within a terminal there we go okay excuse me now I am route within our current docker instance and if I were to LS because I'm in that forward slash previs directory I have root privileges inside of the entire file system that I originally had on the target machine so I could go ahead and actually work with that etcetera sudoers file or when I ran my pseudo earlier I'm getting all the contents of what is actually the sudo command on my machine on my real real actual target and my laptop in this case so what we could do because we could edit this we can't probably can't run nano or VI or anything because we don't actually have those within of the the docker container or the docker image we just hadn't installed that or cradle all those things but we can of course just echo and append to it so let me actually figure out the syntax for sudo Wars no password all commands so that's it any kind of link here just to get that syntax right looks like the username all equals all and no password all allow in one line at that specific user the ability to run any command without a password so without ever knowing this user's password we could essentially set up mark as someone who could run sudo and then compromise that machine or run and commands as root so let's take that syntax and actually go ahead and put it in for inside of our docker instance or kind of relative to our already mounted file system here that we would go ahead and echo mark with those permissions appended on to excuse me walk walk to our forward slash Prive esque because we know that is the mount point for our real machines filesystem etcetera sudo verse because we have write access to that now we could go ahead and actually cat that out Prebys etcetera sue doors and mark has the ability to run any command as route without supplying a password so I could hit control D to break out of that she'll and now I could go ahead and simply run sudo bash without a password because I've added mark into the etcetra sudoers file what vai sudo would normally return for us because of I was able to access that file using that docker privilege escalation technique where I can mount the whole filesystem as a volume within docker so that's that now I am in fact route without ever knowing March without ever knowing that low privilege user and being able to compromise this machine now I could do whatever I wanted to on this box so that's that just a quick video just a quick tip I hope it was kind of cool I hope you guys enjoyed if you did like this video please do hit that like button please do hit that subscribe button hit that Bell I hate doing these smash that Bell that's such a stupid thing to say alright thank you guys for watching I'll see you in the discord server I love you take care [Music] [Music] [Music]