17 August, 2018

Escaping the Whale: Things You Probably Shouldn’t Do With Docker (part 2)

Escaping the Whale: Things You Probably Shouldn’t Do With Docker (part 2)
Cory Sabol
Author: Cory Sabol

This post is part 2 of a series of blog posts on container hacking. If you haven’t read the part1, you should check it out. Today I’m going to tell you about a new collection of scripts, and a lab VM for hacking containers. Both of these resources are currently works in progress, and are open source… *cough* contributions are welcome *cough*.

Board the Whaling Ship

*btw the Moby Dick/whale references will not stop*. Pequod is a Vagrant project which spins up a VM loaded with vulnerable containers to hack on. There’s still a lot to explore and build out here as I learn more and more. Currently, Pequod is built with a deliberately vulnerable Linux kernel and a few insecurely configured Docker containers. I highly encourage anybody to download the project, spin it up, and learn to escape the containers in the VM.

Cast Your Harpoon

Harpoon is a post exploitation tool written in bash with the intentions of aiding you in identifying if that swanky shell, RCE, or whatever it is that you’ve got, is in a container. Currently it only supports fingerprinting for Docker containers, but support for CloudFoundry Garden is on the way. The tool also currently supports identifying the docker socket (which you can read how dangerous it is in part 1). There are also plans to implement the ability to automatically exploit the docker socket and establish a shell, among a lot of other things 😉


So, that’s it. Both Pequod and Harpoon are projects which I work on when I have some spare time. They aim to arm pentesters, dev ops, and developers with some extra knowledge about container security.  I’m hoping that you find the tools and concepts interesting and tinker with them on your own. I’m aiming to improve them both heavily over the coming months. I’m also going to be running a 4 hour container hacking workshop at BSides Charleston this year. You should definitely come out to the conference and hang out, ask me about container security. Lastly, if there is anything that you don’t understand, I encourage you to make an issue or a pull request on the GitHub repo, especially if you figure out something new and cool! Look out for part 3 of this series where I will do a deep dive on container fingerprinting techniques.

Join the professionally evil newsletter

Related Resources