# Containers - DoorDasher's Demise **Day 14** Continue your Advent of Cyber journey and learn about container security. # Container Security ### Overview --- **Room URL:** **Difficulty:** Medium **Category:** Containers **Date Completed:** 12/14/2025 ### Objectives - Learn how containers and Docker work, including images, layers, and the container engine - Explore Docker runtime concepts (sockets, daemon API) and common container escape/privilege-escalation vectors - Apply these skills to investigate image layers, escape a container, escalate privileges, and restore the DoorDasher service - DO NOT order “Santa's Beard Pasta” --- ### Table of Contents [Introduction](#bkmrk-introduction) [Walk Through](#bkmrk-walk-through) [Lessons Learned](#bkmrk-lessons-learned) [Resources](#bkmrk-resources) --- ### Introduction DoorDasher's food delivery service has fallen victim to a sophisticated attack—the Hopperoo website now displays defaced content instead of the legitimate service. Your mission is to investigate the Docker infrastructure, identify the security vulnerability, and restore the original application. This challenge demonstrates a critical real-world security risk: **improper Docker socket exposure** that enables container escape attacks. By exploiting overly permissive container configurations and weak credentials, you'll navigate through multiple containers, escalate privileges, and execute a recovery script to save the day. This hands-on exercise reveals how a single misconfiguration in container isolation settings can cascade into complete infrastructure compromise. --- ### Walk Through 1. Spin up target machine 2. Connect to VPN 3. What exact command lists running Docker containers? 1. `docker ps` 4. What file is used to define the instructions for building a Docker image? 1. dockerfile 5. What's the flag? 1. `docker exec -it uptimechecker sh` 2. `docker exec -it deployer bash` 3. `whoami` 4. `pwd` 5. `ls` 6. `cd ../` 7. `ls` 8. `cat flag.txt` 9. `sudo ./recovery_script.sh` 10. [![Screenshot 2025-12-14 at 3.00.41 PM.png](https://bookstack-images.rizzoit.com/uploads/images/gallery/2025-12/scaled-1680-/screenshot-2025-12-14-at-3-00-41-pm.png)](https://bookstack-images.rizzoit.com/uploads/images/gallery/2025-12/screenshot-2025-12-14-at-3-00-41-pm.png) 6. Bonus Question: There is a secret code contained within the news site running on port `5002`; this code also happens to be the password for the deployer user! They should definitely change their password. Can you find it? 1. open `:5002` 2. `DeployMaster2025!` 3. [![Pasted image 20251214150133.png](https://bookstack-images.rizzoit.com/uploads/images/gallery/2025-12/scaled-1680-/pasted-image-20251214150133.png)](https://bookstack-images.rizzoit.com/uploads/images/gallery/2025-12/pasted-image-20251214150133.png) --- ### Lessons Learned - **Docker Socket Exposure is Critical**: Exposing `/var/run/docker.sock` to containers without Enhanced Container Isolation enabled creates a direct pathway for attackers to escape container boundaries and execute arbitrary commands on the host system. Always use Enhanced Container Isolation and apply the principle of least privilege when granting container permissions. - **Container Security Requires Multi-Layered Defense**: This challenge demonstrates that a single misconfiguration (socket access) combined with weak credentials (`DeployMaster2025!`) can lead to complete infrastructure compromise. Effective container security demands careful attention to isolation settings, privilege escalation prevention, secrets management, and regular security audits of running services. --- ### Resources [TryHackMe](tryhackme.com) [Docker Documentation](https://docs.docker.com/) [Docker Security Best Practices](https://docs.docker.com/engine/security/) [Container Escape Techniques](https://www.nginx.com/blog/docker-security-best-practices/)