A method for escaping the default docker environment
This is actually an active box from hackthebox. I’m not going to reveal the box name here since it is not retired yet. The privilege escalation part is quite interesting that I decided to write a walkthrough about the docker escape.
After gaining a reverse shell, we found we are the root ! So I know we are probably inside a docker container. Run LinEnum.sh
There is a cronjob running that removes kubectl in the container every minute
Let’s download a kubectl executable on our machine and transfer it in docker inside /tmp using wget
We change the name of kubectl to xkubectl to avoid being removed by the cronjob
Check the version of kubectl
check the current rights with kubectl
check rights about namespace , we can get all namespace
We don’t have any permissions of the namespaces
Let’s check if we have permissions of pods or not in the dev namespace
There are three pods running in the dev namespace
See the description of one pod
As we see , we are in webapp-deployment container but enumerating devnode-deployment containers in pods running in the dev namespace.
Our goal is to get foothold in the development environment, so we need to forward the port to the devnode-deployment container
We can use chisel for the port forwarding
(I did use the chisel in my last hackthebox walkthrough bankrobber)
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
First we run the chisel on our local machine to open a server
forward the port to dev-deployment environment 172.17.0.4:3000
Now we are connected and we have the permissions for canDelete and canUpload
Write a script for giving permissions to devnode-deployment environment
chmod +x and execute the script
while running the script , we intercept with burp and forward the request , we got ok as resposne
Now let’s work on reverse shell
forward the request
And we got the reverse shell in the devnode-deployment environment !
This reveals the part of escaping docker environment , but it still takes very little effor to gaining the root.txt hash in the actual box and I’m not going to reveal it here.