Another privilege escalation using docker or sandbox escape. The methodology is the same which we need to start a docker image with privileged right in order to mount the host volume. Today, I am going to share to do the escalation using Portainer
What is Portainer?
Portainer is a powerful, GUI-based Container-as-a-Service solution that helps organizations manage and deploy cloud-native applications easily and securely.
So when you have access to the Portainer portal then what you need to do first is to check the available image
Copy the image id that you want to create and run. For example sha256:3e4f91c08d0f8e8981391f89e4f27d1c26a3662be0bf19af20d95eb5d5fa8b6a
Once you have the id, You need to create and run a container based on the image you choosed. To initiate it, you can go to the container section and press add container
Give the container a name and put the image id you copied to the image name
Set the console to Interactive & TTY (-i -t)
Set to mount the / root of the host to /mnt/root in the docker
Set the Security/Host to Privileged Mode, this selection is very important that allow the docker image having access to the host.
You can press the Create button to start the container. Wait untill there is creation succesfully notification
You can see that the new container is running. In order to access the container console, you can click on the name of the container
You can now click the menu >_Console
Select /bin/bash and press Connect
To access the host volume, You can go to /mnt/root
You can browse the host /root home directory
You can see the /etc/hosts of the container host.