Docker

Containers for micro-services.

Basic Concepts
Installation
Usage
Privilege Escalation
Docker Escape
Securing Docker
Reference

Basic Concepts

Docker Image: standalone executable package that includes everything needed to run a piece of software – code, runtime, system tools, libraries, settings.
Docker Container: running instance of an image. You can create, start, stop, and delete containers.
Dockerfile: simple text file that contains a script of instructions for building a Docker image. The Docker engine reads this file and executes the commands in order to assemble a runnable image.

Installation

Run as root

Add Docker GPG key

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker.gpg > /dev/null

Configure Docker APT repository

echo 'deb [signed-by=/usr/share/keyrings/docker.asc] https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list

Apply updates

apt-get update

Remove any obsolete version

apt-get remove docker docker-engine docker.io

Install Docker

apt-get install docker-ce

Behind a proxy

# https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
# https://docs.docker.com/network/proxy/

# Add Docker pgp key
# Download Docker pgp key from https://download.docker.com/linux/debian/
cat /root/Downloads/pgp | sudo apt-key add -

# Configure Docker apt repository
echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list

# Apply updates
apt-get update

# As we want a clean installation, what we do is verify that there are no obsolete versions and we give it
apt-get remove docker docker-engine docker.io
apt install docker-ce

# Create a systemd drop-in directory for the docker service
mkdir -p /etc/systemd/system/docker.service.d

# Create proxy configuration
nano /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://<username>:<password>@<proxy-server-url>:<port>"

# Flush changes
systemctl daemon-reload

# Restart Docker
systemctl restart docker

# Verify that the configuration has been loaded
systemctl show --property=Environment docker

# Configure the Docker client to pass the proxy configuration to docker containers
# When you create or start new containers, the environment variables are set automatically within the container. (NOT WORKING YET!!!)
mkdir /root/.docker
nano /root/.docker/config.json
{
 "proxies":
 {
   "default":
   {
     "httpProxy": "http://<username>:<password>@<proxy-server-url>:<port>"
   }
 }
}

Verify if it was installed correctly.

sudo docker run hello-world

Usage

Docker Cheat Sheet: https://github.com/wsargent/docker-cheat-sheet

Help

sudo docker help
sudo docker <command> --help
sudo docker build --help

Service

Start Docker service

sudo service docker start

Images

List images

sudo docker image ls -a

Remove an image

IMAGE_ID=35438515b976
sudo docker image rm $IMAGE_ID

Remove all images without associated containers

sudo docker image prune -a

Containers

List running containers

sudo docker container ls
sudo docker ps

List all containers

sudo docker container ls -a

Run a container

-i: interactive, -t: TTY

sudo docker run -it <container-ID>
sudo docker run -it <image>

Share a directory from Kali to container

sudo docker run -it -v /home/kali/htb:/code/htb:rw <container-ID>

Run commands in a running container

sudo docker exec -it <container ID> /bin/bash
sudo docker exec -it <container ID> /bin/sh
sudo docker exec -it <container ID> ps

Stop a container

sudo docker stop <container ID>

Remove all stopped containers

sudo docker container prune

Dockerfile

Build a Docker file

sudo docker build -t <will-be-imagename> <path-to-dockerfile>

sudo docker build -t myprecious .
sudo docker run -it myprecious

Troubleshooting

Temp fix: “Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown.”

sudo mkdir /sys/fs/cgroup/systemd
sudo mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd

Privilege Escalation via Docker

See GTFOBins.

Docker socket file permissions are set to 660 or more restrictively (datadoghq)
Writable Docker Socket Files (HackTricks)

Docker Escape

Docker Breakout / Privilege Escalation (HackTricks)

Securing Docker

OWASP Docker Security (GitHub)
OWASP Docker Security Cheat Sheet (OWASP)
OWASP Docker / Container Top 10 (PDF) (OWASP)
Docker Threat Modeling and Top 10 (by Dirk Wetter) (adriancitu)

Reference

Dockerfile reference (Docker)

Table of Contents