Docker Privilege Escalation

Docker Privilege Escalation

In the previous blog we discussed “Abusing the Docker API” and today we will learn about Docker Privilege Escalation. We will learn how to escalate the privileges of the root shell if the docker is running on the host’s system..

Every Docker environment has a set of inherent security limitations. For example, sudo on Linux containers is not possible without root privileges. Similarly, we are aware that Docker has a problem in that all docker commands require sudo because Docker requires root access to run.

Because of these constraints, many new people to Docker use it without first understanding how it works in the context of system privileges. As a result, many users accidentally give themselves superuser power — which may result in serious consequences in production environments. The Docker daemon is set up in a particular way that it can access the root user as well as any other user presented in the Docker group. This demonstrates that giving persistent root access to docker group is the same as giving root access without a password.

Lab Setup for Docker Privilege Escalation

Create a local user in our local host machine Ubuntu with the least privileges using the following command:

# adduser  <username>

Docker Privilege Escalation

Here, we added a ‘blog’ user. After adding a new user to the local machine, add a new group and assign the created group to the user using the given command:

# usermod -G <groupname><username>

            # newgrp <groupname>

Here, we added ‘blog’ user. After adding a new user in local machine, add a new group and assign the created group to the user using the given command:

# usermod -G <groupname><username>

            # newgrp <groupname>

Docker Privilege Escalation

Here, we added ‘docker’ group for our user ‘blog’.

Let’s check the IP address of our host machine Ubuntu:

            # ip addr

Docker Privilege Escalation

Now, we must have local access of the host machine in order to escalate the privileges of root shell. So, we will open a terminal in Kali Linux and login into ssh as our local user ‘blog’ to access the host machine using the following command:

            # ssh blog@192.168.29.115

Docker Privilege Escalation

Here, we have access to the ‘blog’ user who is a member of the docker group, and as previously said, if the user is a member of the docker group, it is the same as giving root access without a password.

We can also check the id and group of the ‘blog’ user:

            # id

Docker Privilege Escalation

Here, we can verify that ‘blog’ user is a member of the docker group.
 
Now, let’s execute the command below, To download and run the alpine image from the Docker Hub, run the command given below:
 
            # docker run -v /root:/mnt -it alpine

Docker Privilege Escalation

We want to build a volume in the Docker instance, therefore we use the –v parameter. Instead of initiating a daemon process, the –it arguments force Docker into shell mode. The instance is configured to mount the target machine’s root filesystem to the instance volume. so whenever it starts, it creates a chroot in that volume.  This provides us the machine’s root.

Here, we can mount additional system files, such as shadow, passwd or ssh-key, to elevate the privileges of the local user.

Now, let’s mount the etc directory in order to obtain shadow file of the machine using the following commands:

            # docker run -v /etc/:/mnt -it alpine

            # ls

Docker Privilege Escalation
Docker Privilege Escalation

# cat shadow

Docker Privilege Escalation

Here, we can see that we have access of the shadow file. So, we will try to crack the passwd file and if we can manage to have an access of passwd file then we can add our own additional privilege users by producing a password salt using the following command:

            # sudo su

# openssl passwd -1 -salt hard

Docker Privilege Escalation

Now, add this new user record inside the passwd file using the given command;
 
            # echo ‘raj:saltpasswd:0:0::/root:/bin/bash’ >>passwd
            # tail passwd

Docker Privilege Escalation
Docker Privilege Escalation

Here, we can see that our new user ‘hard’ is added in the passwd file. And we can clearly observe that ‘hard’ user is now one of the members of root.

Therefore, we will switch the user from ‘blog’ to ‘hard’ user to access the root shell.

            # su hard

            # id

Docker Privilege Escalation

Here, our blog series on Docker comes to an end. Hope you all enjoyed the learning process.

Author

Hard Dudhia

Cyber Security Intern

Leave a Comment

Your email address will not be published. Required fields are marked *