Exploit: docker sock pwn
通过本地docker.sock向宿主机部署后门容器,以完成控制宿主机的目标。
本脚本将控制宿主机的docker进程,拉取指定的后门镜像并运行,运行过程中镜像将宿主机的根目录/挂载到容器内部的/host目录下,便于通过后门容器修改宿主机本地文件(如crontab)来完成逃逸。
Deploy backdoor container to target host via local docker unix socket.
This script will dial docker daemon via local unix socket to run user-specified "backdoor" image with host root dir / mounted to container /host, then you can execute cmd inside the container and write payloads to host filesystem(e.g. /etc/crontab) to escape.
See Also:
./cdk run docker-sock-pwn <sock_path> <shell_cmd>
# deploy image from dockerhub
./cdk run docker-sock-pwn /var/run/docker.sock "touch /host/tmp/pwn-success"
