## . ## ## ## == ## ## ## ## === /"""""""""""""""""\___/ === ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~ \______ X __/ \ \ __/ \____\_______/ __ ____/ /__ ___ ____ ________ / __ / _ \/ _ \/ __ \/ ___/ _ \ ENUMERATE / /_/ / __/ __/ /_/ / (__/ __/ ESCALATE \__,_/\___/\___/ .___/\___/\___/ ESCAPE /_/ Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) by stealthcopter ==========================================( Colors )========================================== [+] Exploit Test ............ Exploitable - Check this out [+] Basic Test .............. Positive Result [+] Another Test ............ Error running check [+] Negative Test ........... No [+] Multi line test ......... Yes Command output spanning multiple lines Tips will look like this and often contains links with additional info. You can usually ctrl+click links in modern terminal to open in a browser window See https://stealthcopter.github.io/deepce ===================================( Enumerating Platform )=================================== [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None [+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video [+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== [+] Container ID ............ 5290215251ae [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 [+] DNS Server(s) ........... 168.63.129.16 [+] Host IP ................. 172.17.0.1 [+] Operating System ........ Linux [+] Kernel .................. 6.5.0-1021-azure [+] Arch .................... x86_64 [+] CPU ..................... AMD EPYC 7763 64-Core Processor [+] Useful tools installed .. Yes /usr/bin/wget /usr/bin/nc /usr/bin/nslookup /bin/hostname [+] Dangerous Capabilities .. capsh not installed, listing raw capabilities libcap2-bin is required but not installed apk add libcap2-bin Current capabilities are: CapInh: 0000000000000000 CapPrm: 000001ffffffffff CapEff: 000001ffffffffff CapBnd: 000001ffffffffff CapAmb: 0000000000000000 > This can be decoded with: "capsh --decode=000001ffffffffff" [+] SSHD Service ............ No [+] Privileged Mode ......... Yes The container appears to be running in privilege mode, we should be able to access the raw disks and mount the hosts root partition in order to gain code execution. See https://stealthcopter.github.io/deepce/guides/docker-privileged.md [+] Alpine Linux Version .... 3.20.0 [+] └── CVE-2019-5021 ....... No ====================================( Enumerating Mounts )==================================== [+] Docker sock mounted ....... No [+] Other mounts .............. Yes /home/runner/work/deepce/deepce/deepce.sh /root/deepce.sh rw,relatime - ext4 /dev/root rw,discard,errors=remount-ro [+] Possible host usernames ... runner ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root HOSTNAME=5290215251ae PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes -rwxr-xr-x 1 1001 127 38.5K Jun 5 15:23 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No [+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the host machine, this can be used to enumerate further ==============================================================================================