diff options
| -rw-r--r-- | entry/escape/index.html | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/entry/escape/index.html b/entry/escape/index.html index ce90b3a..30dd29d 100644 --- a/entry/escape/index.html +++ b/entry/escape/index.html @@ -29,7 +29,7 @@ code { </p> <h2>Becoming root</h2> <p> - As-is, the webshell runs as a regular user (<code>elastic</code>) without password. Unless you brute force the password, there is no way to gain superuser access. Thankfully, as members of the <code>docker</code> group, we can run containers with root privilege. Then, by running any container with a volume of <code>/etc/passwd</code>, you can remove the <code>x</code> between the :'s for the <code>root</code> user. This <code>x</code> is simply a placeholder that tells the system that the real password is stored and encrypted, usually in <code>/etc/shadow</code>. Now that the <code>x</code> is gone, the root user will be passwordless. That's codetty cool: we gained root access in our containerized environment. But what happens next is such a disaster, that container root is an insignificant oversight: + As-is, the webshell runs as a regular user (<code>elastic</code>) without password. Unless you brute force the password, there is no way to gain superuser access. Thankfully, as members of the <code>docker</code> group, we can run containers with root privilege. Then, by running any container with a volume of <code>/etc/passwd</code>, you can remove the <code>x</code> between the :'s for the <code>root</code> user. This <code>x</code> is simply a placeholder that tells the system that the real password is stored and encrypted, usually in <code>/etc/shadow</code>. Now that the <code>x</code> is gone, the root user will be passwordless. That's pretty cool: we gained root access in our containerized environment. But what happens next is such a disaster, that container root is an insignificant oversight: </p> <h2>Escaping the container</h2> <p> |