SlideShare a Scribd company logo

Linx privx privileges-sudo misconfiguration group and docker daemon privileges

Download as PPTX, PDF
A
AliBawazeEer

This document discusses privilege escalation techniques on Linux systems. It begins by explaining that privilege escalation involves gaining root access on a machine where you initially only have non-root access. It then outlines several common methods for escalating privileges including exploiting binaries, using valid credentials, sudo misconfigurations, cron jobs, SUID executables, and breaking out of containers. The document provides links to additional resources and recommends first reconning the system to determine which escalation methods may apply.

1 of 17
Download to read offline
@Ali Bawazeeer • system admin || Junior penetration tester  • security enthusiast • Sometimes bug hunter ..
What will i talk about!
What is Privilege Escalation & why ! • You own a machine ( Nobody ) with non-root but you want to be a root https://en.wikipedia.org/wiki/Privilege_escalation  only root users can : • achieve persistence • Read || write any files… /etc/shadow • Might be your key for lateral movement
Methods • Binary ( kernel exploits ) your last resort to think about • credentials always reusable – Enumerate … and enumerate more • Valid user == sudeors ( #sudo –l ) if lucky you are root ! • Else ; sudo escape ! { misconfiguration } • Cronjob – you may need to wait ! • Setuid binary < maybe if you play CTF > • Daemon and container group issue …. LXD == docker !
Recon when you think ! Depends on how you have reached here ! - System information [ uname -a , env , cat /proc/version , /etc/issue ] - what is running [ ifconfing -a , netstat -antup , lsof -i , ps , daemons ……… packages ( application ) – ps aux | grep root]
CVE -> LMGFY 
Terminal – tty [ multiple jobs to do ] • Error are not displayed • You cant switch between users …. If you got any http://www.dest-unreach.org/socat/doc/socat.html its just boring to connect everytime , no up arrow key:D
Found credentials … check Sudo Misconfiguration: community classified this into two method ! • shell escape :- (root) NOPASSWD: /usr/bin/find … /usr/bin/git /usr/bin/vi …. /usr/bin/curl /usr/bin/ssh GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. https://gtfobins.github.io/ • intended behavior : /usr/bin/python /usr/bin/php /usr/bin/ruby .. Any of them
CRON JOB • Automated task scheduler ..  unsatisfied path - /*/*/whateveryourun.php,sh,bin  writable file * Matches any set of zero or more characters. ? Matches any single character.  Cat /etc/crontab
SUID EXECUTABLES • a Linux special permission allow a normal user to run an executable in the context of its owner • permission is valuable some tweak will kill you !
Container security == Linux security • Docker containers are as secure as running it in a separate VMs/KVM. • people are downloading random Docker images and then launching them on their host < Always Review > . Misunderstanding
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Its isolated what security should I look at ! • looking to protect the host from the processes within the container, • all software you are running in your containers does not require root privilege , web applications, databases…etc
Am i in a container ( containerized )
Breaking out of a container • kernel vulnerabilities : < google it – try and error ( Not in Production) • docker.sock access As outlined in the docs, access to the docker socket is akin to root access to the system. /var/run/docker.sock https://hub.docker.com/r/chrisfosterelli/rootplease/  User Namespaces , if you need to run root within container
Things change fast in the tech world…!!!!! • if you notice something aged ... keep me posted ! • Some of this stuff will get out of date 😞 some already ... Methodology is the same !
Resources .. Further reading • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ • https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt • https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/ • https://www.cisecurity.org/benchmark/docker/ • https://docs.docker.com/install/linux/linux-postinstall/ • https://www.chef.io/inspec/ • https://github.com/rebootuser/LinEnum • https://gtfobins.github.io/ • https://imgflip.com
Ad

Recommended

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 
Intro To Gentoo Embedded Cclug
Intro To Gentoo Embedded CclugIntro To Gentoo Embedded Cclug
Intro To Gentoo Embedded Cclug
Steve Arnold
 
Executing Windows Malware through WSL (Bashware)
Executing Windows Malware through WSL (Bashware)Executing Windows Malware through WSL (Bashware)
Executing Windows Malware through WSL (Bashware)
Riyaz Walikar
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
nullthreat
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101
Rashid feroz
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
kyaw thiha
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using Meterpreter
Shubham Mittal
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
Shubham Mittal
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & WindowsEasy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
haroonm
 
iOS Internals Part -2
iOS Internals Part -2iOS Internals Part -2
iOS Internals Part -2
Anthony Jose
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to Sysinternals
Riyaz Walikar
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
bsdvirt
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
Atom.io Quick Scripting
Atom.io Quick ScriptingAtom.io Quick Scripting
Atom.io Quick Scripting
Tomokazu Kiyohara
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
jakx_
 
Kernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional bootKernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional boot
Anne Nicolas
 
Package management and creation in Gentoo Linux
Package management and creation in Gentoo LinuxPackage management and creation in Gentoo Linux
Package management and creation in Gentoo Linux
Donnie Berkholz
 
An Intro to Atom Editor
An Intro to Atom EditorAn Intro to Atom Editor
An Intro to Atom Editor
Ateev Chopra
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
Lars Gregori
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
Amit Serper
 
History of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly beanHistory of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly bean
Jung Pil (J.P.) Choi
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Ad

More Related Content

What's hot (20)

Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
Shubham Mittal
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & WindowsEasy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
haroonm
 
iOS Internals Part -2
iOS Internals Part -2iOS Internals Part -2
iOS Internals Part -2
Anthony Jose
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to Sysinternals
Riyaz Walikar
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
bsdvirt
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
Atom.io Quick Scripting
Atom.io Quick ScriptingAtom.io Quick Scripting
Atom.io Quick Scripting
Tomokazu Kiyohara
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
jakx_
 
Kernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional bootKernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional boot
Anne Nicolas
 
Package management and creation in Gentoo Linux
Package management and creation in Gentoo LinuxPackage management and creation in Gentoo Linux
Package management and creation in Gentoo Linux
Donnie Berkholz
 
An Intro to Atom Editor
An Intro to Atom EditorAn Intro to Atom Editor
An Intro to Atom Editor
Ateev Chopra
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
Lars Gregori
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
Amit Serper
 
History of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly beanHistory of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly bean
Jung Pil (J.P.) Choi
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
Shubham Mittal
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & WindowsEasy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
Easy Installation and Setup of PostgreSQL on Linux, OSX, & Windows
haroonm
 
iOS Internals Part -2
iOS Internals Part -2iOS Internals Part -2
iOS Internals Part -2
Anthony Jose
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to Sysinternals
Riyaz Walikar
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
bsdvirt
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
Atom.io Quick Scripting
Atom.io Quick ScriptingAtom.io Quick Scripting
Atom.io Quick Scripting
Tomokazu Kiyohara
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
jakx_
 
Kernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional bootKernel Recipes 2013 - Conditional boot
Kernel Recipes 2013 - Conditional boot
Anne Nicolas
 
Package management and creation in Gentoo Linux
Package management and creation in Gentoo LinuxPackage management and creation in Gentoo Linux
Package management and creation in Gentoo Linux
Donnie Berkholz
 
An Intro to Atom Editor
An Intro to Atom EditorAn Intro to Atom Editor
An Intro to Atom Editor
Ateev Chopra
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
Lars Gregori
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
Amit Serper
 
History of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly beanHistory of Android Security – from linux to jelly bean
History of Android Security – from linux to jelly bean
Jung Pil (J.P.) Choi
 

Similar to Linx privx privileges-sudo misconfiguration group and docker daemon privileges (20)

WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Deployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS LinuxDeployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS Linux
WO Community
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
Francisco Ribeiro
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
Ramin Farajpour Cami
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA Firmware Analyzer
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
ClubHack
 
scaling compiled applications - highload 2013
scaling compiled applications - highload 2013scaling compiled applications - highload 2013
scaling compiled applications - highload 2013
ice799
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Deployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS LinuxDeployment of WebObjects applications on CentOS Linux
Deployment of WebObjects applications on CentOS Linux
WO Community
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
Francisco Ribeiro
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
Ramin Farajpour Cami
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA Firmware Analyzer
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
ClubHack
 
scaling compiled applications - highload 2013
scaling compiled applications - highload 2013scaling compiled applications - highload 2013
scaling compiled applications - highload 2013
ice799
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Ad

Recently uploaded (20)

pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsepulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
sushreesangita003
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdfExploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Sandeep Swamy
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam SuccessUltimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Mark Soia
 
Quality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdfQuality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdf
Dr. Bindiya Chauhan
 
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Library Association of Ireland
 
Unit 6_Introduction_Phishing_Password Cracking.pdf
Unit 6_Introduction_Phishing_Password Cracking.pdfUnit 6_Introduction_Phishing_Password Cracking.pdf
Unit 6_Introduction_Phishing_Password Cracking.pdf
KanchanPatil34
 
To study the nervous system of insect.pptx
To study the nervous system of insect.pptxTo study the nervous system of insect.pptx
To study the nervous system of insect.pptx
Arshad Shaikh
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Social Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy StudentsSocial Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy Students
DrNidhiAgarwal
 
Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025
Mebane Rash
 
Handling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptxHandling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptx
AuthorAIDNationalRes
 
GDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptxGDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptx
azeenhodekar
 
Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfOperations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdf
Arab Academy for Science, Technology and Maritime Transport
 
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsepulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulse
sushreesangita003
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdfExploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Sandeep Swamy
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam SuccessUltimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Mark Soia
 
Quality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdfQuality Contril Analysis of Containers.pdf
Quality Contril Analysis of Containers.pdf
Dr. Bindiya Chauhan
 
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Library Association of Ireland
 
Unit 6_Introduction_Phishing_Password Cracking.pdf
Unit 6_Introduction_Phishing_Password Cracking.pdfUnit 6_Introduction_Phishing_Password Cracking.pdf
Unit 6_Introduction_Phishing_Password Cracking.pdf
KanchanPatil34
 
To study the nervous system of insect.pptx
To study the nervous system of insect.pptxTo study the nervous system of insect.pptx
To study the nervous system of insect.pptx
Arshad Shaikh
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Social Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy StudentsSocial Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy Students
DrNidhiAgarwal
 
Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025
Mebane Rash
 
Handling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptxHandling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptx
AuthorAIDNationalRes
 
GDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptxGDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptx
azeenhodekar
 
Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfOperations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdf
Arab Academy for Science, Technology and Maritime Transport
 
Ad

Linx privx privileges-sudo misconfiguration group and docker daemon privileges

  • 1. @Ali Bawazeeer • system admin || Junior penetration tester  • security enthusiast • Sometimes bug hunter ..
  • 2. What will i talk about!
  • 3. What is Privilege Escalation & why ! • You own a machine ( Nobody ) with non-root but you want to be a root https://en.wikipedia.org/wiki/Privilege_escalation  only root users can : • achieve persistence • Read || write any files… /etc/shadow • Might be your key for lateral movement
  • 4. Methods • Binary ( kernel exploits ) your last resort to think about • credentials always reusable – Enumerate … and enumerate more • Valid user == sudeors ( #sudo –l ) if lucky you are root ! • Else ; sudo escape ! { misconfiguration } • Cronjob – you may need to wait ! • Setuid binary < maybe if you play CTF > • Daemon and container group issue …. LXD == docker !
  • 5. Recon when you think ! Depends on how you have reached here ! - System information [ uname -a , env , cat /proc/version , /etc/issue ] - what is running [ ifconfing -a , netstat -antup , lsof -i , ps , daemons ……… packages ( application ) – ps aux | grep root]
  • 7. Terminal – tty [ multiple jobs to do ] • Error are not displayed • You cant switch between users …. If you got any http://www.dest-unreach.org/socat/doc/socat.html its just boring to connect everytime , no up arrow key:D
  • 8. Found credentials … check Sudo Misconfiguration: community classified this into two method ! • shell escape :- (root) NOPASSWD: /usr/bin/find … /usr/bin/git /usr/bin/vi …. /usr/bin/curl /usr/bin/ssh GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. https://gtfobins.github.io/ • intended behavior : /usr/bin/python /usr/bin/php /usr/bin/ruby .. Any of them
  • 9. CRON JOB • Automated task scheduler ..  unsatisfied path - /*/*/whateveryourun.php,sh,bin  writable file * Matches any set of zero or more characters. ? Matches any single character.  Cat /etc/crontab
  • 10. SUID EXECUTABLES • a Linux special permission allow a normal user to run an executable in the context of its owner • permission is valuable some tweak will kill you !
  • 11. Container security == Linux security • Docker containers are as secure as running it in a separate VMs/KVM. • people are downloading random Docker images and then launching them on their host < Always Review > . Misunderstanding
  • 13. Its isolated what security should I look at ! • looking to protect the host from the processes within the container, • all software you are running in your containers does not require root privilege , web applications, databases…etc
  • 14. Am i in a container ( containerized )
  • 15. Breaking out of a container • kernel vulnerabilities : < google it – try and error ( Not in Production) • docker.sock access As outlined in the docs, access to the docker socket is akin to root access to the system. /var/run/docker.sock https://hub.docker.com/r/chrisfosterelli/rootplease/  User Namespaces , if you need to run root within container
  • 16. Things change fast in the tech world…!!!!! • if you notice something aged ... keep me posted ! • Some of this stuff will get out of date 😞 some already ... Methodology is the same !
  • 17. Resources .. Further reading • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ • https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt • https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/ • https://www.cisecurity.org/benchmark/docker/ • https://docs.docker.com/install/linux/linux-postinstall/ • https://www.chef.io/inspec/ • https://github.com/rebootuser/LinEnum • https://gtfobins.github.io/ • https://imgflip.com

Editor's Notes

  • #5: https://github.com/lxc/lxd/issues/2003
  • #6: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  • #8: let other parent process execute bash,sh,dash like python – perl any language could do the word “os.system” ... or bg / fg the stderr
  • #10: Cat /etc/crontab
  • #11: ls –la /usr/bin/taskkit find / -perm -u=s -type f 2>/dev/null