Revisiting Dock Worker

Table of Contents

1. Overview

In June of this year, I was researching and learning more about docker, and at the same time was learning about c2 communication methods. This naturally resulted in me looking for using docker as an impact or communication stager in heavy devops environments. Surprisingly, I didn't find anything and there were no examples in the sub-technique Exfiltration Over Web Service: Exfiltration to Code Repository.

This is when I decided to write Dock Worker, a proof-of-concept exfiltration tool stuffing data into containers and using publicly available docker repos to exfiltrate the data. Then I published a blog at DC864 on the topic.

2. Revisiting Dock Worker

While doing my morning ritual of scrolling through mastodon, The New Oil tooted a Bleeping Computer article on Docker Hub Repositories hide over 1,650 malicious containers, and knew immediately today's blog would looking back at Dock Worker, and what my next steps are to making it a more robust, responsible red teamer tool.

2.1. Core Functionality

An exfiltration tool that uses devop accounts with python and docker. Furthermore, it is a single python script that then uses usually loose docker permisions given to devops accounts, creates a docker client, logins into the registry you are interested in, loads a file with all of the data to be exfiltrated, then pushes that out to the repository.

The single python script is then uses to "unload" the repo and unpack the file from the container.

Note, this was a single script for PoC reasons, but also because it could be used to grab other payloads or tools from docker repos.

2.2. Needed Updates

I'd like to start taking this out of the Proof-of-Concept stage and into a viable exfiltrate tools for red teamers looking to emulate a code or docker repository threat. To do that a number of changes need to be made including but certainly not limited to:

  • Split the code into two scripts that also may be merged
  • Provide better argument support
  • Encrypt the file passed to the dock worker
  • Allow for base docker image to be malleable
  • Add better debugging w/ examples
  • Add better documentation w/ examples, esp. target audience

Date: 2022-11-26

Author: Russell Brinson

Created: 2022-11-26 Sat 11:36

Validate