Portainer Agent Remote Root Shell Exploit

A Simple Python Program that uses Requests Module to add Portainer Agent Environment to Portainer Interface and gets a Remote Root Shell on the Target Device

Requirements

Language Used = Python3
Modules/Packages used:

• sys
• warnings
• socket
• os
• requests
• json
• paramiko
• pathlib
• base64
• optparse
• getpass
• datetime
• optparse
• colorama
• multiprocessing
• time

Install the dependencies:

pip install -r requirements.txt

Setup

Clone the repository with all git modules

git clone --recursive https://github.com/Gill-Singh-A/Portainer-Agent-Remote-Root-Shell-Exploit.git

After installing Docker on your local device, run the following commands

docker pull ubuntu:20.04
docker save ubuntu:20.04 -o ubuntu_image.tar
chmod 666 ubuntu_image.tar

Install Portainer on your Device

docker volume create portainer_data
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:lts

Make a Configuration file portainer_config.json containing details of your Portainer Instance with these details

{
    "scheme": "https",
    "host": "127.0.0.1",
    "port": "9443",
    "username": "admin",
    "password": "password"
}

Open up your Portainer Web UI, setup the password for admin account on first login and then remove the Local Docker Environment

Result

After Successful Exploitation, we can directly ssh to the target device as root user.

Note

Before every run, make sure that there are no environments in your Portainer Instance