This repository contains a set of vulnerable Docker images for attacking the container environment compiled for Cyber_Security hackathon 2021.

Requirements

The sweep procedure was performed on Centos 8 with the latest kernel version (you are free to choose your operating system) and with necessary libraries defined below.

Clone this repository:

[root@localhost]# sudo yum -y install git
[root@localhost]# git clone https://github.com/frizzymonsta/cyber_security21.git

Run script for installing Docker and Docker-compose.

[root@localhost]# cd cyber_security21
[root@localhost]# chmod +x docker.install.centos.redhat.sh
[root@localhost]# ./docker.install.centos.redhat.sh

To install images, you need to be authorized on Docker Hub.

[root@localhost]# docker login

Scripts explanation

The repository contains the following images:

Sources of images are contained in the images directory.

To run all images:

[root@localhost falco]# chmod +x start_all.sh
[root@localhost falco]# ./start_all.sh

To stop all images:

[root@localhost falco]# docker kill $(docker ps -q)

All images running in silent mode. Remove -d flag in scripts to avoid it.

Exploits

cve-2015-1427

Image: bash/cve-2015-1427.sh

To do: Bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. Access by default: localhost:9200.

cve-2015-3306

Image: bash/cve-2015-3306.sh

To do: Read and write to arbitrary files via the site CPFR and site CPTO commands. Port by default: 21.

cve-2016-10033

Image: bash/cve-2016-10033.sh

To do: Pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property. Access by default: localhost:8383

cve-2019-5736

Image: bash/cve-2019-5736.sh

To do: Overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Win condition

Get unauthorized access to images described earlier and suggest your solutions to gain access to the three remaining containers (Kali, tomcat, portfolio website(redis and nginx, localhost:8080 by default).

The attacks of the form "Escape from the container" and "Increase privileges" are of the greatest interest.

Results are accepted through pull requests, don`t forget to add instruction in README and record demo video.

Notice: Pull requests opened on private repositories remain private.

How we choose winner?

We award points for the following actions:

The minimum requirements are marked with *, the minimum number of points is 12.

Good luck!