Groups Privilege Escalation - Linux PE.
In this tutorial we will explore how to execute different groups privilege escalation in Linux.
Groups Privilege Escalation - Linux PE.
Docker Group Privilege Escalation.
Detection.
We only need to be part of the Docker group.
Exploitation.
If we are part of the Docker group we can do the next command to become root.
1
docker run -it --rm -v /:/mnt <IMAGE_NAME> chroot /mnt bash
- docker run: This runs a new container from an image.
- -it: This flags allow you to run the container interactively (-i) and allocate a terminal (-t).
- –rm: Automatically removes the container when it exits.
- -v /:/mnt: This mounts the root directory (/) of your host machine to the /mnt directory inside the container.
- chroot /mnt bash: This changes the root filesystem of the container to /mnt (which is the root of your host machine, since it’s mounted) and then executes the bash shell.
This command will allow you to execute a chroot inside the Docker container, with the root filesystem being that of your host.
Where <image_name> should be replaced with the actual image name you want to use (for example, ubuntu or debian), pentesters often use alpine which is an extremely lightweight distribution. Its base Docker image is only around 5 MB in size.
This post is licensed under CC BY 4.0 by the author.