Want a Docker Hacking Challenge? Try This Vulnerable VM
If you work with Docker and want to see whether you’re skilled enough to spot misconfigurations and insecure deployments, a penetration testing company has a challenge for you: a vulnerable Docker virtual machine.
The VM was built as a capture-the-flag game, where players need to gain deeper access into the system and collect “flags.” These can be files or pieces of content that serve as checkpoints, confirming that players are on the right track.
The game has two difficulty levels — easy and hard — but the end goal is the same: breaking out of the Docker container and gaining root privileges on the host system.
Solving the easy challenge only requires knowledge of how Docker works, said Anant Shrivastava, regional director for APAC at NotSoSecure Global Services and one of the VM’s authors.
However, the hard difficulty level requires knowledge of both Docker and penetration testing (pentesting). Players have to gain access to the Docker container through a vulnerable web application and then to escape into the host system.
The security issues that need to be found and exploited include both misconfigurations and traditional vulnerabilities. There are three “flags” to be collected along the way. Some of the flaws are Docker-related, while others are related to the Web application running inside the container.
NotSoSecure provides pentesting services and training for security professionals and Shrivastava is one of the lead trainers for the company’s advanced infrastructure hacking courses.
The security problems included in the Docker VM were actually found in real-world deployments during penetration testing engagements, Shrivastava said. The idea for releasing the VM publicly came after a well received challenge during the training courses the company held at the Black Hat USA security conference earlier this year, he said.
There is no prize offered for solving the game so players don’t have to report back to the company with the solutions. However, there is a thread on Reddit where the authors are responding to questions and an email address is provided inside the VM that can be used to contact the team.
The company published a free webinar that covers some of the techniques used during Docker security assessments and while the presentation won’t provide the exact solutions to the VM challenge, it could give players some ideas of things they could try.
The company plans to publish a detailed write-up in around two weeks about the security issues included in the Docker VM and how they could have been exploited to reach the end goal of compromising the host. Check back here where we’ll discuss the results in detail.
