Docker Forensics

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:

On-demand Mobile Security Training | 8kSec Academy8kSec Academy

Container modification

Kuna shaka kwamba baadhi ya kontena za docker zilipatikana zimevunjwa:

docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
cc03e43a052a        lamp-wordpress      "./run.sh"          2 minutes ago       Up 2 minutes        80/tcp              wordpress

Unaweza kwa urahisi kupata marekebisho yaliyofanywa kwa kontena hili kuhusiana na picha kwa kutumia:

docker diff wordpress
C /var
C /var/lib
C /var/lib/mysql
A /var/lib/mysql/ib_logfile0
A /var/lib/mysql/ib_logfile1
A /var/lib/mysql/ibdata1
A /var/lib/mysql/mysql
A /var/lib/mysql/mysql/time_zone_leap_second.MYI
A /var/lib/mysql/mysql/general_log.CSV
...

Katika amri iliyopita, C inamaanisha Ilibadilishwa na A, Iliyoongezwa. Ikiwa utagundua kuwa faili ya kuvutia kama /etc/shadow ilibadilishwa, unaweza kuipakua kutoka kwenye kontena ili kuangalia shughuli za uhalifu kwa:

docker cp wordpress:/etc/shadow.

Unaweza pia kuilinganisha na ile ya asili kwa kuendesha kontena mpya na kutoa faili kutoka kwake:

docker run -d lamp-wordpress
docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container
diff original_shadow shadow

Ikiwa unapata kwamba faili fulani ya kushangaza imeongezwa unaweza kufikia kontena na kuangalia:

docker exec -it wordpress bash

Mabadiliko ya picha

Unapopewa picha ya docker iliyosafirishwa (labda katika muundo wa .tar) unaweza kutumia container-diff ili kutoa muhtasari wa mabadiliko:

docker save <image> > image.tar #Export the image to a .tar file
container-diff analyze -t sizelayer image.tar
container-diff analyze -t history image.tar
container-diff analyze -t metadata image.tar

Kisha, unaweza kufungua picha na kufikia blobs kutafuta faili za kushangaza ambazo huenda umepata katika historia ya mabadiliko:

tar -xf image.tar

Basic Analysis

Unaweza kupata taarifa za msingi kutoka kwa picha inayotembea:

docker inspect <image>

Unaweza pia kupata muhtasari wa historia ya mabadiliko kwa kutumia:

docker history --no-trunc <image>

Unaweza pia kuunda dockerfile kutoka kwa picha na:

alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"
dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>

Dive

Ili kupata faili zilizoongezwa/zilizobadilishwa katika picha za docker unaweza pia kutumia dive (pakua kutoka releases) chombo:

#First you need to load the image in your docker repo
sudo docker load < image.tar                                                                                                                                                                                                         1 ⨯
Loaded image: flask:latest

#And then open it with dive:
sudo dive flask:latest

Hii inakuwezesha kuvinjari kupitia blobs tofauti za picha za docker na kuangalia faili zipi zilirekebishwa/zimeongezwa. Nyekundu inamaanisha zimeongezwa na njano inamaanisha zimebadilishwa. Tumia tab kuhamasisha kwenye mtazamo mwingine na space kufunga/kufungua folda.

Kwa die huwezi kufikia maudhui ya hatua tofauti za picha. Ili kufanya hivyo, utahitaji kufungua kila safu na kuifikia. Unaweza kufungua safu zote kutoka kwa picha kutoka kwenye saraka ambapo picha ilifunguliwa ukitekeleza:

tar -xf image.tar
for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done

Credentials kutoka kwa kumbukumbu

Kumbuka kwamba unapokimbia kontena la docker ndani ya mwenyeji unaweza kuona michakato inayokimbia kwenye kontena kutoka kwa mwenyeji kwa kukimbia tu ps -ef

Hivyo (kama root) unaweza kutoa kumbukumbu ya michakato kutoka kwa mwenyeji na kutafuta credentials tu kama katika mfano ufuatao.

Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:

On-demand Mobile Security Training | 8kSec Academy8kSec Academy

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAnti-Forensic Techniques NextImage Acquisition & Mount

Last updated 6 days ago