From c5aeedd5592a9f9536e18e4e052cd1f883c10bc6 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Thu, 17 Jul 2025 12:12:26 +0200 Subject: [PATCH] f --- .../release_agent-exploit-relative-paths-to-pids.md | 10 ++++++++++ src/windows-hardening/ntlm/README.md | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md index 810805fbe..6bf2bc3a6 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md @@ -84,6 +84,16 @@ echo "Done! Output:" cat ${OUTPUT_PATH} ``` +## Kernel hardening since 2022 (CVE-2022-0492) + +From Linux 5.10.93/5.15.17/5.16.2 onward the kernel **requires `CAP_SYS_ADMIN` in the _initial_ user-namespace to write `release_agent`**. A *privileged* container still has that capability, so this relative-path variant remains exploitable. *Unprivileged* containers on patched kernels, however, will not bypass the new check. + +## Limitations on modern hosts (2025) + +* **cgroup-v2** (the default in Fedora 40, Ubuntu 24.10 and most systemd-256+ distros) **removed the whole `release_agent` interface** – the technique simply does not exist there. +* On hybrid systems (`cgroup_no_v1="memory"` etc.) the memory controller may reside in v1 while others are in v2; if the memory hierarchy is v2 **the exploit must mount some other v1 controller** (e.g. `rdma`) to work. +* Mandatory Access Control profiles (AppArmor/SELinux) that disallow `mount` or make `/sys/fs/cgroup/**/release_agent` read-only will block the attack even in privileged containers. + {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/ntlm/README.md b/src/windows-hardening/ntlm/README.md index 0d6841499..18d74cca3 100644 --- a/src/windows-hardening/ntlm/README.md +++ b/src/windows-hardening/ntlm/README.md @@ -290,7 +290,7 @@ The PoC can be found in **[https://github.com/eladshamir/Internal-Monologue](htt **Read more detailed guide on how to perform those attacks here:** {{#ref}} -../../generic-methodologies-and-resources/pentesting-network/`spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md` +../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {{#endref}} ## Parse NTLM challenges from a network capture