First off, great video! Really loved the RCE using a lambda function! Around 57:50, you ask, "what did I just do". If you go to 57:41 you'll notice you changed your working directory to /root, the correct directory you wanted was /mnt/root, since the host's files system is mounted to /mnt/ within the docker container. I've made this mistake more times than I'd like to admit lol but we should call this out since all of us will hit the same using kubernetes, k3s, docker, etc.
Creating a CSRF to force the victim to navigate to pages and send us the date, read his email to discover an S3 Domain "date" or "data" ?) спасибо за видео.
@@ijustcantseeit yeah when you take a look at the metaverse and what the future holds you'll say its inventable that everyone must learn hacking and security
I didn't really understand the privesc part, if a docker container has access to the docket command, it doesn't create containers inside the container but create them on the host instead ?
Pretty much! If you look at when he opens the docker-compose file, you can see that the host’s docker socket is mounted as a volume in the container. By default, volumes are read/write, so the container can create containers on the host
This is why you never run docker in docker if you can help it. When can you expect this irl? With kubernetes, a lot of people are putting their deployment pipelines, CICD infra into kubernetes itself because you get easy "scalability"; each build runs in its own docker container. Injecting code into a build, or finding a poorly configured instance presents a chance you can get code execution into a build container which could end up having the privileges needed. A lot of this has been patched now in most tools but one slip up in configuration and an attacker could find what they need. Can't say much more given Google's acceptable content guidelines. I'll just say that that I evaluated this attack path when considering build tools where I work and this was a real world attack path that came up.
First off, great video! Really loved the RCE using a lambda function!
Around 57:50, you ask, "what did I just do". If you go to 57:41 you'll notice you changed your working directory to /root, the correct directory you wanted was /mnt/root, since the host's files system is mounted to /mnt/ within the docker container. I've made this mistake more times than I'd like to admit lol but we should call this out since all of us will hit the same using kubernetes, k3s, docker, etc.
I will watch this tonight. 🙌 Gonna ask you question after watching the video :).
There are a lot of things.. oh god I have to rewatch this again
"fetch" is the modern replacement for XMLHttpRequest
Superb!
Ooh, also, ‘-it’ in ‘docker run’ means ‘interactive, allocate tty’
It is also a great mnemonic: "run IT"
t means allocate tty/pty in run/start/exec commands, t means tag in build
Creating a CSRF to force the victim to navigate to pages and send us the date, read his email to discover an S3 Domain
"date" or "data" ?)
спасибо за видео.
I always see your terminal, when you open burpsuite and send any reqwest using burp, suddenly red light poped... how?....
awesome! thanks for sharing
i work in another method but gg you have good idea good work bro you are the best
hacking is the next gaming
This could actually be a pretty accurate insight I think
@@ijustcantseeit yeah when you take a look at the metaverse and what the future holds you'll say its inventable that everyone must learn hacking and security
Thanks man
u r the best
What can i learn before starting with HACK THE BOX??
TryHackMe?
TryHackMe, and/or overthewire, HTB also has academy modules and a starting point module for beginners
Hack the box academy, i am vip user from 1 year.
Why did you not search for 200 codes in the vhost gobuster output?? Thanks
When you mounted host's '/' to docker's '/mnt' directory, and put the public ssh key in root's .ssh, does it also get written to host's root .ssh?
I didn't really understand the privesc part, if a docker container has access to the docket command, it doesn't create containers inside the container but create them on the host instead ?
Pretty much! If you look at when he opens the docker-compose file, you can see that the host’s docker socket is mounted as a volume in the container. By default, volumes are read/write, so the container can create containers on the host
If you look into the software ‘portainer’, this is the way it works!
You can just escape docker containers to the host that easily?
In this case yes, because the docker container was allowed to spawn other docker containers.
@@ippsec okay crazy, didn't know that
This is why you never run docker in docker if you can help it. When can you expect this irl? With kubernetes, a lot of people are putting their deployment pipelines, CICD infra into kubernetes itself because you get easy "scalability"; each build runs in its own docker container. Injecting code into a build, or finding a poorly configured instance presents a chance you can get code execution into a build container which could end up having the privileges needed. A lot of this has been patched now in most tools but one slip up in configuration and an attacker could find what they need.
Can't say much more given Google's acceptable content guidelines. I'll just say that that I evaluated this attack path when considering build tools where I work and this was a real world attack path that came up.
first comment :)
Nice - really, really nice!
Where are the timestamps
Look in the description, where they should be :) Just busy with an event this weekend and didn't have time to create the timestamps.
Comment
Full Stack = Full Stocker Developer
@1:00:02 - look! DEAD BEEF :-)