T1611: Escape to Host
Last updated
Last updated
Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.
There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host's file system using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; abusing system calls such as unshare and keyctl to escalate privileges and steal secrets.
Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as docker.sock, to break out the container via a Container Administration Command. Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links to access the root directory of a host machine
Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command-and-control channel on the host.
In previous examples the host was being mounted into the container from the Initial setup but in this case the container has access to Docker to the host and can setup the mount from inside the container.
Now with this technique if a configuration allows the adversary to execute commands from inside the container as seen from the image below, since Docker privileged mode grants a Docker container root capabilities to all devices on the host system.
Then the adversary has access to the host
You can try to create a temporary file system and mount it as seen below
References: https://phoenixnap.com/kb/docker-privileged
