What is Docker?
Before taking about Docker, let's discuss why we need docker. In the modern days building an application became too complex. When a developer develops an application it works fine on the developer machine, But if the same project is moved on to some other computer it starts to throw some errors. It's because the developer might use some dependencies or plugin's which may not be installed or not supported by the end-user system. To overcome come to this problem most of the developer's use docker and it plays a vital role in the application developing environment
Docker uses OS-level virtualization to deliver software in package called containers. Docker Containers are used to pack the libraries, dependencies, and the executables which are used to run an application into a package. These fully packed packages are known as containers.
What is Privilege Escalation?
Privilege Escalation is a post-exploitation process in a penetration testing environment. An attacker got unauthorized low-level access on a system and try to elevate the privilege to higher-level access. So that the attacker can execute commands with high privileges.
How does Docker lead to Privilege Escalation?
Running Docker Containers ( A package of application) with the Docker implies running the Docker Daemon. Docker Daemon is a persistent background process that manages Docker Images, Containers, and Storage Volumes. The Docker Daemon constantly listens for Docker API and process them. This Deamon currently requires root privileges When admin allows the unprivileged user access to the docker group it allows the unprivileged user to create containers using docker-CLI. The Docker runs with the SUID bit set so that the low privileged user can use this to abuse the filesystem and escalate the privileges to the high-level user.
Install the docker using: Sudo apt-get install docker.io -y
It's been already installed on my machine. If you are installing for the first time enter yes while it prompts to install.
Create a sample text file with sample content inside the /root directory. In my case, I created a filename called root.txt with the content of "privilege escalation succeed!".
Change the file permission that only root can able to read, write and execute using: chmod 700 root.txt.
Setup a low-level user. You can create the user with the name of your choice.
verify the user has been added to the machine by listing the users in /etc/passwd and sort the users having shell using: cat /etc/passwd | grep /bin/bash.
Listing the users we find that ghost user has been successfully added to the machine with an id of 1000.
Add the user into the docker group using: Sudo usermod -aG docker ghost.
While using id command we see that the ghost user has been added to the docker group.
Enable the docker using the service command.
Install OpenSSH-server to access the machine remotely.
Enable the ssh service.
Using ifconfig command we find the IP address of the lab machine.
The IP address of my lab machine is: 192.168.98.129.
Open a New terminal and try to access the ghost user through ssh. Use the password which you used to create the ghost user.
Once successfully logged in I have the low-level shell as a ghost user.
By checking the id we can see that the ghost user is on docker group (142).
Initially, we try to read the content of root.txt but we got permission denied because the root.txt file can only be accessed by the root user.
Meanwhile, the ghost user was a low-level user and cannot perform tasks as root. But the ghost user was in the docker group so that he can able to run docker. As previously explained docker daemons execute the command as root that we can create a volume in docker instance and download the alpine image from the docker hub registry and try to mount the content of chroot into the /mnt directory inside the docker instance. So we can able to access the content of chroot inside the /mnt/root and able to read the root.txt as docker runs the command as root.
To do this we are going to execute the following command :
docker run -v /:/mtn -it alpine
Docker run will start the docker instance and it obtains the alpine image from the docker hub registry. The -v will create a volume inside the docker instance and /:/mnt will mount the whole / [chroot] into the /mnt directory inside the docker volume. Then -it will spawn a shell to access the docker instance.
Once the command successfully ran and got a shell to move to the /mnt/root directory and read the root.txt file.
In this way, we can able to elevate our privilege from low-level users to run the command as a high-level user through docker groups. In the next blog, we see how to mitigate this risk by running a docker container as a non-root user.
Author : NaveenKumar [B1n4ryN1nj4]