Skip to content

Exploit: docker sock pwn

cdxy edited this page Feb 8, 2021 · 1 revision

Exploit: docker-sock-pwn

通过本地docker.sock向宿主机部署后门容器,以完成控制宿主机的目标。

本脚本将控制宿主机的docker进程,拉取指定的后门镜像并运行,运行过程中镜像将宿主机的根目录/挂载到容器内部的/host目录下,便于通过后门容器修改宿主机本地文件(如crontab)来完成逃逸。

Deploy backdoor container to target host via local docker unix socket.

This script will dial docker daemon via local unix socket to run user-specified "backdoor" image with host root dir / mounted to container /host, then you can execute cmd inside the container and write payloads to host filesystem(e.g. /etc/crontab) to escape.

See Also:

Usage

./cdk run docker-sock-pwn <sock_path> <shell_cmd>

Example

# deploy image from dockerhub
./cdk run docker-sock-pwn /var/run/docker.sock "touch /host/tmp/pwn-success"

png

Clone this wiki locally