Docker Privilege Escalation

In our previous article we have discussed “Docker Installation & Configuration”but today you will learn how to escalate the root shell if docker is running on the hots machine or I should say docker privilege escalation to spawn root shell.

While we know that there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give constant root access without any password. 🧐

Quick Lab setup

Execute the below command to install docker in your localhost machine. I have used ubutnu 18.04 here as target machine.

Create a local user, say Ignite is the username with least privileges add new group “docker” for “ignite”.

To proceed for privilege escalation, you should have local access of the host machine, therefore here we choose ssh to access the machine as ignite who is a local user on this machine. 

Since we have access to the user which is a part of the docker group and said above if the user is part of the docker group then it is the same as to give constant root access without any password. 😈

We ran the command shown below, this command obtains the alpine image from the Docker Hub Registry and runs it. The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt.

Similarly, an intruder can mount other system files to escalate the privilege for the local user such as he can mount the passwd or shadow or ssh-key.

As you can see here, we try to mount/etc directory to obtain shadow file and similarly one can access passwd file and add his own privilege user. 🤔

So, if you have access shadow file then you can try to crack passwd hashes and if you have access passwd file you can add you own privilege user by generating password salt as shown here.

Now a new record inside the passwd file for your user.

From the given below image you can observe that now we have user raj as member of root. Thus, we switch to as raj and access the root shell.

Thus, in this way we can escalated the permission of a host machine, hope you will enjoy this little and powerful post. 😊

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Lxd Privilege Escalation

In this post we are going to describes how an account on the system that is a member of the lxd group is able to escalate the root privilege by exploiting the features of LXD.

A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.

LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user. There are multiple methods to exploit this.

One of them is to use the LXD API to mount the host’s root filesystem into a container which is going to use in this post. This gives a low-privilege user root access to the host filesystem. 

Table of Content

  • Introduction to LXD and LXC
  • Container Technology
  • LXD Installation and Configuration
  • LXD Installation and Configuration

Introduction to LXD and LXC

Linux Container (LXC) are often considered as a lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.

Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.

Container Technology

Container technology comes from the container, is a procedure to assemble an application so that it can be run, with its requirements, in isolation from other processes container applications with names like Docker and Apache Mesos ‘ popular choices have been introduced by major public cloud vendors including Amazon Web Services, Microsoft Azure and Google Cloud Platforms.

Requirement

Host machine: ubuntu 18:04

Attacker machine: Kali Linux or any other Machine

Let’s Begin !!

So here you can observe that we have a profile for user “raj” as a local user account on the host machine.

LXD Installation and Configuration

Now install lxd by executing the following command:

Also, you need to install some dependency for lxd:

Now to add a profile for user: raj into the lxd group, type following command:

So now you can observe user “raj” is part of lxd groups.

Now you can configure LXD and start the LXD initialization process with the lxd init command. During initialization it will ask for choosing some option, here majorly we have gone with DEFAULT options. But for the storage backend, we have choose “dir” instead of zfs.

Once you have configured the lxd then you can create a container using lxc. Here we are creating a container for “ubuntu:18.04” and named as “intimate-seasnail”. Further use lxc list command to view the available installed containers.

Connect to the container withthe help of lxc exec command, which takes the name of the container and the commands to execute:

Once your are inside the container, the shell prompt will look like as following below.

Privilege Escalation

Privilege escalation through lxd requires the access of local account, therefore, we choose SSH to connect and take the access local account on host machine.

Note: the most important condition is that the user should be a member of lxd group.

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:

  1. Steps to be performed on the attacker machine:
  • Download build-alpine in your local machine through the git repository.
  • Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
  • Transfer the tar file to the host machine
  1. Steps to be performed on the host machine:
  • Download the alpine image
  • Import image for lxd
  • Initialize the image inside a new container.
  • Mount the container inside the /root directory

So, we downloaded the build alpine using the GitHub repose.

On running the above command, a tar.gz file is created in the working directory that we have transferred to the host machine.

On another hand we will download the alpine-image inside /tmp directory on the host machine.

After the image is built it can be added as an image to LXD as follows:

use the list command to check the list of images

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it.

Source: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience.

NOTE: This is a brief version of this Cheatsheet. For the complete privilege escalation Cheatsheet visit our GitHub page.

Table of Content

  1. Abusing Sudo Rights
  2. SUID Bit
  3. Kernel Exploit
  4. Path Variable
  5. Enumeration
  6. MySQL
  7. Crontab
  8. Wildcard Injection
  9. Capabilities
  10. Writable etc/passwd file
  11. Writable files or script as root
  12. Buffer Overflow
  13. Docker

Abusing Sudo Rights

The word sudo stands for Super User and Do. Basically, the keyword ‘sudo’, when used as a prefix to a command will allow you to run the said command as root without changing your user. When you run any command along with sudo, it will ask for root privileges in order to execute the command and here, Linux will confirm if that particular username is in the sudoers file. If the information matches to the sudoers file then that command will run and if not then you cannot run the command or program using the sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command. So, we can manipulate such rights and use them to our advantage as we have done it many CTF’s.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/

1. Ted:1
2. KFIOFan: 1
3. 21 LTR: Scene1
4. Skytower
5. Matrix: 1
6. Sputnik 1
7. Sunset
8. DC-2
9. Kioptrix: Level 1.2
10. Matrix-3

SUID Bit

Set User ID (SUID) is a form of permission that lets the user execute any file with the permissions of a certain user. Those files which have suid permissions run with higher privileges. The maximum number of bits is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x. But when special permission is given to each user it becomes SUID, SGID, and sticky bits. When extra bit “4” is set to the user (Owner) it becomes SUID (Set user ID), then it will look like as rwsr-xr-x. SUID bits can be manipulated by changing the permission of a file so that we can execute or write it in as we choose to in order to gain access and do the needful.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

1. Kevgir
2. digitalworld.local – BRAVERY
3. Happycorp: 1
4. FourAndSix: 2
5. DC-1
6. dpwwn:2
7. MinU: v2
8. Toppo:1
9. Mr. Robot
10. Covfefe

Kernel Exploit

Kernel exploit is one of the most commonly used exploits nowadays as it is the most advanced attack there is today. It works for both Windows and Linux. In this attack, malicious code evades and takes control of the root/administrator to bypass user control access and as it abuses kernel.

1. pWnOS -1.0
2. LAMPSecurity: CTF 5
3. Kioptrix : Level 1.1
4. Hackademic-RTB1
5. Hackademic-RTB2
6. ch4inrulz : 1.0.1
7. Kioprtix: 5
8. Simple
9. SecOS: 1
10. Droopy

Path Variable

PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user runs any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

1. PwnLab
2. USV
3. Zeus:1
4. The Gemini inc
5. EW-Skuzzy
6. Nullbyte
7. symfonos : 1
8. Silky-CTF: 0x01
9. Beast 2

Enumeration

Enumeration is a phase of attacking where the attacker focuses on traversing through the system and network in order to find useful information such as password hashes, active connections, etc. During this, bash history and config files come handy as they often have the most useful data of which an attacker can take advantage.

1. The Library:1
2. The Library:2
3. LAMPSecurity: CTF 4
4. LAMPSecurity: CTF 7
5. Xerxes: 1
6. pWnOS -2.0
7. DE-ICE:S1.130
8. SickOS 1.1
9. Tommyboy
10. VulnOS: 1

MySQL

MySQL provides a mechanism by which the default set of functions can be expanded by means of a custom written dynamic libraries containing User Defined Functions, or UDFs.

  1. Kioptrix : Level 1.3
  2. Raven
  3. Raven : 2

Crontab

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

Read from here: https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/

  1. Billy Madison
  2. dpwwn: 1
  3. BSides Vancuver: 2018
  4. Jarbas : 1
  5. SP:Jerome

Wildcard Injection

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken therefore one can take the privilege of it to execute an arbitrary command using a wild asterisk (*) argument.

Read from here: https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

  1. Milnet
  2. Pipe

Capabilities

Capabilities are referred to if there are any additional privileges given to a file or directory. This can also be manipulated to our own advantage in order to achieve the desired goal. It can override the permissions or the READ access to a filesystem along with the ability to call chroot.

  1. Kuya : 1
  2. DomDom: 1

Writable /etc/passwd file

/etc/passwd file is the one where passwords and usernames are saved with their every detail possible. So, if by chance you find that this file is writable then you can add your own user with or without password and bypass access control of the system.

  1. Hackday Albania
  2. Billu Box 2
  3. Bulldog 2

Writable files or script as root

Sometimes, there are often files which are writable. Such files can be edited with our developed malicious code. This code can either run as root or can run to gain root access. Thus, the writable files are quite important for privilege escalation.

  1. Skydog
  2. Breach 1.0
  3. Bot Challenge: Dexter
  4. Fowsniff : 1
  5. Mercy
  6. Casino Royale
  7. SP eric
  8. PumpkinGarden
  9. dpwwn: 1
  10. Tr0ll: 3

Buffer Overflow

A buffer is a sequential segment of the memory allocated to hold anything like a character string or an array of integers this particular vulnerability exists when a program tries to put more data in a buffer than it can contain or when a program tries to insert data in memory set past a definitive buffer. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

1. Tr0ll 2
2. IMF
3. BSides London 2017
4. PinkyPalace
5. ROP Primer
6. CTF KFIOFAN:2
7. Kioptrix : Level 1
8. Silky-CTF: 0x02

Docker

Docker was introduced to meet all the drawbacks of VMware. Docker has developed the concept of containers, it means whichever application you want to run in a virtual environment, the docker will create a container with the application and it’s every dependency. The only reason it is widely used than VMware is due to its efficiency. In Docker, all of the commands require sudo prefixing them. Docker design modules intrinsically give significant rights to any user who has access to the daemon. The Docker daemon allows access to either the root user or any user in the ‘docker’ group. This means being a member of the ‘docker’ group is same as gaining permanent root access.

  1. Donkey Docker
  2. Game of Thrones
  3. HackinOS : 1