Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Docker is a containization platform used all around. I knew use it to host the Spokane Cyber Cup! Docker was ported from Linux to Windows with a completely different under-the-hood implementation because of the differences between the OS's.

The flow of the service is below:

DockerDesktop.exe->com.docker.service->
docker engine (dockerd)->container

The service communicates using named pipes. This consists of one or more client pipes to one server pipe. Instead of analyzing the code, they used IO Ninja to read the named pipes communication patterns. The author of this post created a new Pipe Viewer for more rich information on the pipes, such as permissions.

The named pipe dockerBackendV2 is created by the service com.docker.service. The pipe resolver communication uses a REST API while running as SYSTEM. The permissions allows a low-privilege user to make calls to this pipe. By calling this API, it's possible to mount to arbitrary locations using the service!

The previous issue was known by the Docker team and kind of fixed. They found another function though: move-data-folder. This will copy data from one folder into another folder, without restriction, using the SYSTEM user. With an arbitrary file write vulnerability, a simple DLL hijacking will give us a system shell.

Windows File Protection was causing problems though. They were able to bypass this using an indirect directory and junctions. Overall, good post on how simple bugs can be found once you understand a complex architecture.