Container Escapes 101 - Setup
Some logistics
This is a 2 hour workshop. It may take you more or less time and that’s okay! All the material is here, so hopefully no one is stressed about any time pressure.
You’ll need a few things:
- A Linux virtual machine (Ubuntu 24.04 and Fedora 42 tested), local or in AWS or Azure
- A container runtime on that VM (Docker Community Edition is what’s tested here)
- Broadband internet, as we’ll be downloading quite a few container images
- Probably a lack of corporate “auto-installed” stuff in your environment
If you want, I made an Ubuntu 24.04 VM for UTM (read a Mac GUI for QEMU ) that has a few things pre-installed. The “post-install” script is in (GitHub ). It also has SSH in the guest VM mapped to TCP port 3022 on the host.
- (optional) VM download on Google Drive
- login =
user/password - copy/paste SSH command =
ssh -p 3022 user@127.0.0.1
⛳️ There’s a plain text file at /boot/flag.txt that’ll serve as read and/or write proof as we go along. If you’re making your own VM to follow along, here’s the quick one-liner to add it:
1
2
echo "hiya, you found me at appsec village @ defcon 33!" | \
tee -a /boot/flag.txt
📦 There are also a few ports forwarded between the host and the VM.
| Host port | VM port | Notes |
|---|---|---|
| 3022 | 22 | SSH |
| 3080 | 80 | HTTP with a web server |
| 5000 | 5000 | HTTP in a Flask webapp |
The setup script I used on the VMs, Dockerfiles of any containers built for this, and more are in GitHub .
Hope it went without saying, but … uh … don’t use your company’s real accounts and infrastructure and such. This was tested on QEMU (
arm64andx86_64), but should work just as well on the free tiers of AWS and Azure. No $$$ should be needed here.
Image list
To run this in an airgap, here’s a list of the images used throughout the workshop. A small shell script to pull them all is available in GitHub .
docker.io/library/ubuntu:24.04docker.io/redhat/ubi9:9.6ghcr.io/some-natalie/some-natalie/whoami:latestcgr.dev/chainguard/python:latestcgr.dev/chainguard/curl:latestdocker.io/library/nginx:latestghcr.io/some-natalie/some-natalie/cowsay:latestghcr.io/some-natalie/some-natalie/secret-example:latestghcr.io/some-natalie/some-natalie/command-injection:latestghcr.io/some-natalie/some-natalie/command-injection-noshell:latestghcr.io/some-natalie/some-natalie/command-injection-noshell-noroot:latest
You’ll also need the static binaries hosted at http://files.some-fantastic.com . You may also need to do a bit of editing on package repositories, DNS, and other papercuts … but also, if this is your situation, I’m assuming you’re used to it and know what needs a tweak here and there. 🙈
Weirdness and other tips, tricks, and such.
DNS in a container in a VM to the host can get hairy (usually MTU … but we all have our suspicions). Sometimes it’s helpful to explicitly specify the DNS server in the container. For example, if you’re using Docker, you can do this:
1
docker run -it --dns 8.8.8.8 ubuntu:24.04
Alternatively, altering the host VM’s DNS settings to add another server works too.
1
sudo resolvectl dns enp0s1 8.8.8.8
Back to the index.