 Hello everybody, my name is John Hammond and this is a quick video showcasing a Docker privilege escalation technique If you're on a machine that has Docker installed and you as that low privilege user can actually run Docker commands. So before we get started with anything I want to introduce you guys to today's video sponsor Streamcoder. If you haven't heard of Streamcoder before it is one super cool node-based Python IDE or a Python integrated development environment. The fact that it's node-based means that it's super easy to visualize your algorithm or your code or really what your program and your software is doing. Streamcoder is put together by the guys at Plurry and you can visit them online at their website pluricorp.com and they even have an online free version just to demo what Streamcoder is, how it works and why you guys might want to use it. You can go check that out at pluricorp.com slash Streamcoder. If you interact with the online free demo version of Streamcoder you'll be greeted with this really nice and friendly interface that just allows you to interact with nodes that help define what your program is and what it does. You can even title it whatever you particularly like but they like to call that each of these node graphs is called a coy. If you double-click on any of these nodes it'll bring you to an interface you can add more information or in this case even read about what that node actually is and does and how you can use it inside of your node editor. This is an awesome way to actually learn about what this tool can do and what it's all designed for. The whole thing is about being able to create code that you can reuse send to others and it's just standalone and encapsulated even as a beautiful image and picture that can be shared and work with well behind the scenes you could still add your own code or anything else you might particularly need to. Each of these sections has their own video kind of documentation walkthrough which is super duper cool and if you'd like you can always explore, drag things into the node editor or the coy and kind of see how you can all piece these together do interesting things with them and even build out and suddenly create your own program in Python. So if you guys have any interest in StreamCoder please go check it out online at pluricorp.com and I have some discount codes for you. So the first 10 people to use the code John Hammond 75 will get 75% off and if you don't make them the first 10 people you can use the discount code John Hammond and you'll get 20% off of StreamCoder. So you can go make some Python programs in a beautiful node based IDE and editor. So thank you guys go check them out StreamCoder pluricorp.com John Hammond 75 if you can make it and John Hammond. Okay, now let's get to the video. So I'm going to be testing this and showcasing it on my host. I'm running as my usual John user. So this user does have pseudo permissions right now I'm just to be showcasing that with a little bit of dichotomy because I want to show you with this other user mark that I just kind of created for testing purposes. So what I'm going to do is I'm just going to show you that currently the mark user does not have permissions to actually run any root commands. But we're going to end up getting this account without knowing its password root privileges to be able to actually compromise and take control of this potential target and machine. So this mark user does not have any permissions in the pseudomers file, but nor does he also have permissions in the Docker group. So let me go ahead and actually set that up to typically get Docker installed. You could use Docker.io when you have a user that you want to be able to actually interact with Docker, you would add that that user into that group with user mod ag and then the name of the user and the group that they're going to go in. So in this case, it is mark. And I have that syntax other way around. Excuse me, it should be Docker as the group that comes first and mark is the user that we're adding. There we go. So now mark should be able to go ahead and use that. I think it's a get and groups get in group. There we go. So now the Docker group has both myself and mark as we've just added into him. So let me go ahead and s you into mark. What is his password? As you mark. OK, great. Say we don't know his password. You don't know his password. It doesn't matter. We're not going to need it for we're going to end up doing. Let me just move into his home directory. There we go. And let's go ahead and make a directory called privsk. Now this user should be able to go ahead and run Docker commands. Fingers crossed. OK, good. In that privsk directory, I'm going to use this as the kind of folder directory that I'll go ahead and put our Docker file. Docker file. And now this Docker file is going to give us the baseline to build our Docker image where this user will be able to because he can run Docker, mount the whole rest of the file system automatically and gain his own permissions as root. So I'll show you how to do this. What we'll end up doing is pulling down an image that is already a well known Linux distribution. I'm just going to use Debbie and Weezy because that's pretty lightweight. You could use, I guess, whatever you particularly want here. And then we're going to go ahead and set a environment variable where we will go ahead and specify where we want to work out of. This will be just kind of a directory that will act as the mount point for the whole rest of the real file system that we're going to end up taking advantage of. So you can call us whatever you want, privsk or stuff or testing, literally anything you get to make the call privsk is just kind of what I'll go ahead and work with. And then we will make that directory so we know that it is something that our instance or our Docker image can actually work with. We just run that command to make the directory and tack be to create parent directories if for whatever reason we need to in this case, we really shouldn't. But because this Docker file runs as root within the container, it should be able to go ahead and make that directory even though it's in like the root of the file system. So that's that forward slash privsk. So at that point, we'll consider that a volume or a location that this container could really use and work through. So let me use volume and work there or that environment variable that we just created in a place that we could actually go ahead and work with. Now we'll go ahead and actually set that as our working directory with another Docker file kind of command here to really go ahead and use that. That'll just be work there as the name of our directory. Some of the stuff admittedly just kind of as you're used to with stuff, you might pull off of exploit DB or something with searchploit. A lot of this you can just kind of hit the I believe button and know that this is what works. If you don't want to get all behind the scenes and the bells and whistles under the hood. This is the syntax to simply spit out a Docker file or Docker image that will allow you to inside a container mount the whole rest of the file system. So let me show you how that's done. We can go ahead and now Docker build this image. So Docker build a tack T we can call it privsk. That's just going to end up being the tab or the tag. Excuse me, the tag name for this container for this image that will access within Docker. And of course, it is in the current directory where a Docker file is. So just add a period in there to go ahead and build this. It'll pull down that Debian wheezy. If we need it, go ahead and create everything. And now we should be able to once that is fully built, go ahead and run this container or start up that instance. So I'll show you that syntax. Now we want to head and Docker run, but we'll specify a volume with tack V. So we'll mount the root of our file system and put it in that file system kind of working directory that we defined as a environment variable as a location that we want to use. Then, of course, we need the tag or the actual image name that we're working with. We called that privsk just because when we ran out previously with that image tag or tack T name, wow, I got a lot of nonsense in that. So privsk, tack T privsk. Maybe that's a little confusing that I use the working directory name the same as the image name. But I hope you can bear with me. Those are two different strings and that you could choose them to be what you want. Privsk and privsk just from my kind of demonstration purposes really whatever. And now you actually supply a command you would want to run. So in this case, we could use bin bash as that would give us a shell. And we need to actually specify that that is interactive, excuse me, with it. So I for interactive T for actually working within a terminal. There we go. OK, excuse me. Now I am root within our current Docker instance. And if I were to LS, because I'm in that forward slash privsk directory, I have root privileges inside of the entire file system that I originally had on the target machine. So I could go ahead and actually work with that, etc. pseudoers file or when I ran by pseudo earlier, I'm getting all the contents of what is actually the pseudo command on my machine on my real real actual target and my laptop in this case. So what we could do because we could edit this, we can't probably can't run nano or vi or anything because we don't actually have those within of the Docker container or the Docker image. We just hadn't installed that or cradle all those things, but we can of course just echo and append to it. So let me actually figure out the syntax for pseudoers, no password, all commands. So that's it. Any kind of link here just to get that syntax right looks like the username all equals all and no password all will allow in one line that specific user the ability to run any command without a password. So without ever knowing this user's password, we could essentially set up mark as someone who could run pseudo and then compromise that machine or run commands as root. So let's take that syntax and actually go ahead and pull in for inside of our Docker instance or kind of relative to our already mounted file system here that we would go ahead and echo mark with those permissions appended on to excuse me walk walk to our forward slash privest because we know that is the mount point for our real machines file system, etc. pseudoers because we have right access to that. Now we could go ahead and actually cat that out privest, etc. pseudoers and mark has the ability to run any command as root without supplying a password. So I could hit control D to break out of that shell and now I could go ahead and simply run pseudo bash without a password because I've added mark into the etc pseudoers file would vice it would normally return for us because of I was able to access that file using that Docker privilege escalation technique where I can mount the whole file system as a volume within Docker. So that's that. Now I am in fact root without ever knowing marks password without ever knowing that low privilege user and being able to compromise this machine. Now I could do whatever I wanted to on this box. So that's that just a quick video just a quick tip. I hope it was kind of cool. I hope you guys enjoyed it. If you did like this video, please do hit that like button. Please do hit that subscribe button. Hit that bell. I hate doing these smash that bell. That's such a stupid thing to say. All right. Thank you guys for watching. I'll see you on the discord server. I love you. Take care.