This repository contains a set of vulnerable Docker images for attacking the container environment compiled for Cyber_Security hackathon 2021.
The sweep procedure was performed on Centos 8 with the latest kernel version (you are free to choose your operating system) and with necessary libraries defined below.
Clone this repository:
[root@localhost]# sudo yum -y install git
[root@localhost]# git clone https://github.com/frizzymonsta/cyber_security21.gitRun script for installing Docker and Docker-compose.
[root@localhost]# cd cyber_security21
[root@localhost]# chmod +x docker.install.centos.redhat.sh
[root@localhost]# ./docker.install.centos.redhat.shTo install images, you need to be authorized on Docker Hub.
[root@localhost]# docker loginThe repository contains the following images:
| Container | Bash for starting image |
|---|---|
| Kali linux container. | bash/kali_container.sh |
| Simple mail form imitation. | bash/cve-2016-10033.sh |
| Nginx server that hosts a simple two-page website. | bash/website_sql_start.sh |
| Redis database. | bash/website_sql_start.sh |
| Simple FTPd imitation. | bash/cve-2015-3306.sh |
| Elastic search. | bash/cve-2015-1427.sh |
| Tomcat image. | bash/tomcat.sh |
| Ubuntu image. | bash/cve-2019-5736.sh |
Sources of images are contained in the images directory.
To run all images:
[root@localhost falco]# chmod +x start_all.sh
[root@localhost falco]# ./start_all.shTo stop all images:
[root@localhost falco]# docker kill $(docker ps -q)All images running in silent mode. Remove -d flag in scripts to avoid it.
Image: bash/cve-2015-1427.sh
To do: Bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. Access by default: localhost:9200.
Image: bash/cve-2015-3306.sh
To do: Read and write to arbitrary files via the site CPFR and site CPTO commands. Port by default: 21.
Image: bash/cve-2016-10033.sh
To do: Pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property. Access by default: localhost:8383
Image: bash/cve-2019-5736.sh
To do: Overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Get unauthorized access to images described earlier and suggest your solutions to gain access to the three remaining containers (Kali, tomcat, portfolio website(redis and nginx, localhost:8080 by default).
The attacks of the form "Escape from the container" and "Increase privileges" are of the greatest interest.
Results are accepted through pull requests, don`t forget to add instruction in README and record demo video.
Notice: Pull requests opened on private repositories remain private.
We award points for the following actions:
| Points | Raising rights to root | Escape from the container | Implemented via third party exploit | Written own exploit | Third party shellcode implemented | Your shellcode is written | Form report | Report out of shape | Video optional |
|---|---|---|---|---|---|---|---|---|---|
| cve-2015-1427 | 1* | 1 | 1* | 2 | 1 | 2 | 1* | -2 | 1 |
| cve-2015-3306 | 1* | 1 | 1 | 2 | 1 | 2 | 1* | -2 | 1 |
| cve-2016-10033 | 1* | 1 | 1 | 2 | 1 | 2 | 1* | -2 | 1 |
| cve-2019-5736 | 1* | 1* | 1* | 2 | 1 | 2 | 1* | -2 | 1 |
| tomcat | 1* | 1* | 1* | 2 | 1 | 2 | 1* | -2 | 1 |
| website | 1* | 1* | 1* | 2 | 1 | 2 | 1* | -2 | 1 |
| kali | 1* | 1* | 1* | 2 | 1 | 2 | 1* | -2 | 1 |
The minimum requirements are marked with *, the minimum number of points is 12.
Good luck!