Hack The Box: (Extension) Docker escape on root privileges

Written by darknite -
on March 21, 2023

In this post, I would like to share how to escape the docker environment to obtain Root Privileges Access on the machine itself. However, I did manage to get Root Privileges Access by taking a different route which you can read here

Testing

How will we escape the environment with a different method?

Firstly, we will be given a docker.sock that resides inside the /app/ directory which we will be taking advantage of it later in the future. For those who do not know about the docker.sock, it’s a program file that it normally will use to communicate with a docker daemon where it will have access to read/write the program just like being in the docker group. As a result, the file will give the user full control over the Docker elements.

For this activity, I will try to demonstrate the progress by using the command curl

Therefore, let’s start!

An example of getting docker information by using the curl command

By running the command such as curl –unix-socket docker.sock http://localhost/images/json -s will provide us the images of the environment.

We should be creating a container for the laravel-app_main:latest by running the command above.

By default, we can transfer the docker that is installed on our attacker’s machine into the victim’s machine but it’s a pretty huge size for the victim’s hard disk. Therefore, we can transfer from the docker file into a different environment by running the python server

We can download the file on a different environment by using the wget command as above.

Sadly, it doesn’t work as i expected it should. After a few minutes of analysis and troubleshooting, i just notice that we are not in the same directory of the docker.sock file.

Therefore, let’s change to the directory that stored the binary file

At last, the command works like how i was expecting it to execute where we can see all the environments that are available to us to play around.

Now, we should be able to start the laravel-app_main container by trying to mount the directory or file into the container we created earlier.

By default, we should be able to access the container right now by running the exec command with the bash execution.

The screenshot above shows all the directories that existed inside the machine itself.

As a result, we managed to find a root flag inside the /mnt/root/ directory

As usual, we can read the root flag by executing the “cat root.txt” command

Categories:

Uncategorized

Tags:

No Tag

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *