The docker reach-around: hacking containers for fun and profit

The docker reach-around: hacking containers for fun and profit

OK. Those who know me know I use the term 'hacker' in the original RFC 1392 sense of the word, "A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.", and not the Hollywood "This is Unix, I know this" where someone can just guess the password. It means extending a system in a way it was not original intended.

So containers. You build them with the least-files you can (cuz size, cuz security). You'd never think to put 'ssh' or 'vim' or 'sudo' in there. But then you need to debug why the $!#* thing won't do what you want. Sure you could enter into an endless stream of 'build/push/run/exec'. Or you could add these files 'for dev only' and promise yourself you'd remove them later.

But why not cheat? This is Unix, we know this! First, find the container:

$ docker ps
CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS                                                                    NAMES
5ca0e51472b7        us.gcr.io/corp-202415/taiga_backend        "/scripts/entrypoint…"   16 hours ago        Up 9 minutes                                                                                 taiga_backend

Now find where's its mounted:

$ docker inspect 5ca0e51472b7  |grep DeviceName
                "DeviceName": "docker-253:1-5636841-75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491",
$ mount |grep 75947de5cd473
/dev/mapper/docker-253:1-5636841-75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491 on /var/lib/docker/devicemapper/mnt/75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491 type xfs (rw,relatime,nouuid,attr2,inode64,logbsize=128k,sunit=256,swidth=256,noquota)

Now lets just sneak in there, as root:

sudo chroot /var/lib/docker/devicemapper/mnt/75947de5cd473e1e1fb1a153350243989118ca7b2a4fd840c9deebb6666f4491/rootfs
echo nameserver 8.8.8.8 > /etc/resolv.conf
apt install sudo
echo myuser ALL=NOPASSWD: ALL > /etc/sudoers.d/myuser

and bingo, we can run sudo inside the container now. Or feel free to not chroot there and just modify things as needed.

There, in the few minutes of your life I just gave you back you can watch:

and

3 comments on “The docker reach-around: hacking containers for fun and profit
  1. db Nicolas St-Pierre says:

    I don’t know man.. in that hacking scene, the hackers are clearly using their own keyboards..

    This ‘anti-hacker’ scene is more epic:
    https://www.youtube.com/watch?v=msX4oAXpvUE

    They use a method dubbed ‘the tromboning’ 😉

  2. db Chris says:

    OK. Those who know me know I use the term ‘reach-around’ in the original sense of the word, “A person who delights in having an intimate – “, oh, never mind….

  3. db Chris says:

    I also can’t believe you didn’t use Matthew Broderick’s NORAD-defeating tic-tac-toe hack scene from WarGames or Jeff Goldblum’s alien invasion-defeating skull-and-bones viral hack from Independence Day. WTF?! The stakes were *significantly* higher in those cases I’d say!

Leave a Reply

Your email address will not be published. Required fields are marked *

*