A method for escaping the default docker environment

Chenny Ren
4 min readAug 24, 2021

--

This is actually an active box from hackthebox. I’m not going to reveal the box name here since it is not retired yet. The privilege escalation part is quite interesting that I decided to write a walkthrough about the docker escape.

After gaining a reverse shell, we found we are the root ! So I know we are probably inside a docker container. Run LinEnum.sh

There is a cronjob running that removes kubectl in the container every minute

Let’s download a kubectl executable on our machine and transfer it in docker inside /tmp using wget

We change the name of kubectl to xkubectl to avoid being removed by the cronjob

Check the version of kubectl

check the current rights with kubectl

check rights about namespace , we can get all namespace

We don’t have any permissions of the namespaces

Let’s check if we have permissions of pods or not in the dev namespace

https://kubernetes.io/docs/concepts/workloads/pods/

There are three pods running in the dev namespace

See the description of one pod

As we see , we are in webapp-deployment container but enumerating devnode-deployment containers in pods running in the dev namespace.

Our goal is to get foothold in the development environment, so we need to forward the port to the devnode-deployment container

We can use chisel for the port forwarding

(I did use the chisel in my last hackthebox walkthrough bankrobber)

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

First we run the chisel on our local machine to open a server

forward the port to dev-deployment environment 172.17.0.4:3000

Now we are connected and we have the permissions for canDelete and canUpload

Write a script for giving permissions to devnode-deployment environment

chmod +x and execute the script

while running the script , we intercept with burp and forward the request , we got ok as resposne

Now let’s work on reverse shell

forward the request

And we got the reverse shell in the devnode-deployment environment !

This reveals the part of escaping docker environment , but it still takes very little effor to gaining the root.txt hash in the actual box and I’m not going to reveal it here.

--

--

Chenny Ren

OSCP | OSWP | OSEP | CRTP |CRTE | CRTO | Red Team Professional | SOC engineer