UltraTech_Docker_group

Docker Group

---

The r00t user is part of the 116(docker) group. This was already revealed Now that the user has been compromised, I can abuse the group membership

Being in the docker group has root-level access to the system

r00t@ultratech-prod:/home$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Currently, there is no running docker instances

r00t@ultratech-prod:/home$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
7beaaeecd784        bash                "docker-entrypoint.s…"   5 years ago         Exited (130) 5 years ago                       unruffled_shockley
696fb9b45ae5        bash                "docker-entrypoint.s…"   5 years ago         Exited (127) 5 years ago                       boring_varahamihira
9811859c4c5c        bash                "docker-entrypoint.s…"   5 years ago         Exited (127) 5 years ago                       boring_volhard

Although there were in the past

r00t@ultratech-prod:/home$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
bash                latest              495d6437fc1e        5 years ago         15.8MB

The only available Docker image is 495d6437fc1e Moving on to Privilege Escalation phase