From 3d77ff647a8613c57725cac4ade8e603dbe24444 Mon Sep 17 00:00:00 2001 From: Ewout Wieten Date: Thu, 4 Apr 2024 19:13:45 +0200 Subject: replace pre with code --- entry/escape/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'entry/escape/index.html') diff --git a/entry/escape/index.html b/entry/escape/index.html index ce90b3a..30dd29d 100644 --- a/entry/escape/index.html +++ b/entry/escape/index.html @@ -29,7 +29,7 @@ code {

Becoming root

- As-is, the webshell runs as a regular user (elastic) without password. Unless you brute force the password, there is no way to gain superuser access. Thankfully, as members of the docker group, we can run containers with root privilege. Then, by running any container with a volume of /etc/passwd, you can remove the x between the :'s for the root user. This x is simply a placeholder that tells the system that the real password is stored and encrypted, usually in /etc/shadow. Now that the x is gone, the root user will be passwordless. That's codetty cool: we gained root access in our containerized environment. But what happens next is such a disaster, that container root is an insignificant oversight: + As-is, the webshell runs as a regular user (elastic) without password. Unless you brute force the password, there is no way to gain superuser access. Thankfully, as members of the docker group, we can run containers with root privilege. Then, by running any container with a volume of /etc/passwd, you can remove the x between the :'s for the root user. This x is simply a placeholder that tells the system that the real password is stored and encrypted, usually in /etc/shadow. Now that the x is gone, the root user will be passwordless. That's pretty cool: we gained root access in our containerized environment. But what happens next is such a disaster, that container root is an insignificant oversight:

Escaping the container

-- cgit v1.3